Académique Documents
Professionnel Documents
Culture Documents
Command Reference
Issue Date
03 2009-06-18
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters.
Website: Email:
Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but the statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
Contents
About This Document.....................................................................................................................1 1 System Management.................................................................................................................1-1
1.1 Basic Configuration Commands.....................................................................................................................1-2 1.1.1 clock.......................................................................................................................................................1-2 1.1.2 command-privilege.................................................................................................................................1-4 1.1.3 display clock...........................................................................................................................................1-5 1.1.4 display history-command.......................................................................................................................1-6 1.1.5 display hotkey........................................................................................................................................1-6 1.1.6 display version........................................................................................................................................1-8 1.1.7 header.....................................................................................................................................................1-8 1.1.8 hotkey.....................................................................................................................................................1-9 1.1.9 language-mode.....................................................................................................................................1-10 1.1.10 lock.....................................................................................................................................................1-11 1.1.11 quit (All Views)..................................................................................................................................1-12 1.1.12 return..................................................................................................................................................1-12 1.1.13 super...................................................................................................................................................1-13 1.1.14 super password...................................................................................................................................1-14 1.1.15 sysname..............................................................................................................................................1-15 1.1.16 system-view........................................................................................................................................1-16 1.2 User Interface Configuration Commands.....................................................................................................1-17 1.2.1 acl.........................................................................................................................................................1-18 1.2.2 authentication-mode.............................................................................................................................1-19 1.2.3 auto-execute command.........................................................................................................................1-20 1.2.4 databits.................................................................................................................................................1-21 1.2.5 debugging rsa.......................................................................................................................................1-22 1.2.6 debugging ssh server............................................................................................................................1-22 1.2.7 debugging telnet...................................................................................................................................1-23 1.2.8 display rsa local-key-pair public..........................................................................................................1-24 1.2.9 display rsa peer-public-key..................................................................................................................1-25 1.2.10 display ssh server...............................................................................................................................1-26 1.2.11 display ssh user-information..............................................................................................................1-27 1.2.12 display tcp..........................................................................................................................................1-28 1.2.13 display user-interface.........................................................................................................................1-29 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. i
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 1.2.14 display users.......................................................................................................................................1-30 1.2.15 flow-control........................................................................................................................................1-31 1.2.16 free user-interface...............................................................................................................................1-32 1.2.17 history-command max-size................................................................................................................1-33 1.2.18 idle-timeout........................................................................................................................................1-33 1.2.19 lock.....................................................................................................................................................1-34 1.2.20 parity...................................................................................................................................................1-35 1.2.21 peer-public-key end............................................................................................................................1-36 1.2.22 protocol inbound................................................................................................................................1-36 1.2.23 public-key-code begin........................................................................................................................1-37 1.2.24 public-key-code end...........................................................................................................................1-38 1.2.25 rsa local-key-pair create.....................................................................................................................1-39 1.2.26 rsa local-key-pair destroy...................................................................................................................1-40 1.2.27 rsa peer-public-key.............................................................................................................................1-41 1.2.28 screen-length......................................................................................................................................1-42 1.2.29 send.....................................................................................................................................................1-42 1.2.30 set authentication password................................................................................................................1-43 1.2.31 shell....................................................................................................................................................1-44 1.2.32 speed...................................................................................................................................................1-45 1.2.33 ssh server authentication-retries.........................................................................................................1-46 1.2.34 ssh server rekey-interval.....................................................................................................................1-47 1.2.35 ssh server timeout...............................................................................................................................1-47 1.2.36 ssh user assign rsa-key.......................................................................................................................1-48 1.2.37 ssh user authentication-type...............................................................................................................1-49 1.2.38 stopbits...............................................................................................................................................1-50 1.2.39 telnet...................................................................................................................................................1-51 1.2.40 user privilege......................................................................................................................................1-51 1.2.41 user-interface......................................................................................................................................1-52 1.2.42 user-interface maximum-vty..............................................................................................................1-53
1.3 Work Mode Configuration Commands.........................................................................................................1-54 1.3.1 display firewall mode...........................................................................................................................1-54 1.3.2 display firewall transparent-mode address-table..................................................................................1-55 1.3.3 firewall mode........................................................................................................................................1-56 1.3.4 firewall transparent-mode mac-aging-time..........................................................................................1-57 1.3.5 firewall unknown-mac..........................................................................................................................1-58 1.4 File System Commands.................................................................................................................................1-59 1.4.1 ascii.......................................................................................................................................................1-61 1.4.2 binary....................................................................................................................................................1-61 1.4.3 bye........................................................................................................................................................1-62 1.4.4 cd (User View).....................................................................................................................................1-63 1.4.5 cd (FTP Client View)...........................................................................................................................1-63 1.4.6 cdup......................................................................................................................................................1-64 ii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Contents
1.4.7 close......................................................................................................................................................1-65 1.4.8 copy......................................................................................................................................................1-65 1.4.9 debugging vfs.......................................................................................................................................1-67 1.4.10 debugging (FTP Client View)............................................................................................................1-67 1.4.11 delete (User View).............................................................................................................................1-68 1.4.12 delete (FTP Client View)...................................................................................................................1-69 1.4.13 dir (User View)...................................................................................................................................1-70 1.4.14 dir (FTP Client View)........................................................................................................................1-71 1.4.15 disconnect...........................................................................................................................................1-71 1.4.16 display ftp-server................................................................................................................................1-72 1.4.17 display ftp-users.................................................................................................................................1-73 1.4.18 display startup....................................................................................................................................1-74 1.4.19 display this..........................................................................................................................................1-74 1.4.20 execute................................................................................................................................................1-75 1.4.21 file prompt..........................................................................................................................................1-76 1.4.22 format.................................................................................................................................................1-77 1.4.23 ftp.......................................................................................................................................................1-77 1.4.24 ftp server enable.................................................................................................................................1-78 1.4.25 ftp timeout..........................................................................................................................................1-79 1.4.26 get.......................................................................................................................................................1-80 1.4.27 lcd.......................................................................................................................................................1-80 1.4.28 ls.........................................................................................................................................................1-81 1.4.29 mkdir (User View).............................................................................................................................1-82 1.4.30 mkdir (FTP Client View)...................................................................................................................1-82 1.4.31 more....................................................................................................................................................1-83 1.4.32 move...................................................................................................................................................1-84 1.4.33 open....................................................................................................................................................1-85 1.4.34 passive................................................................................................................................................1-85 1.4.35 put.......................................................................................................................................................1-86 1.4.36 pwd (User View)................................................................................................................................1-87 1.4.37 pwd (FTP Client View)......................................................................................................................1-87 1.4.38 quit (FTP Client View).......................................................................................................................1-88 1.4.39 remotehelp..........................................................................................................................................1-89 1.4.40 rename................................................................................................................................................1-89 1.4.41 reset recycle-bin.................................................................................................................................1-90 1.4.42 rmdir (User View)..............................................................................................................................1-91 1.4.43 rmdir (FTP Client View)....................................................................................................................1-92 1.4.44 tftp......................................................................................................................................................1-92 1.4.45 tftp-server acl......................................................................................................................................1-93 1.4.46 undelete..............................................................................................................................................1-94 1.4.47 user.....................................................................................................................................................1-94 1.4.48 verbose...............................................................................................................................................1-95 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iii
Contents
1.5 System Configuration Commands................................................................................................................1-96 1.5.1 compare configuration..........................................................................................................................1-97 1.5.2 debugging (User View)........................................................................................................................1-98 1.5.3 debugging license.................................................................................................................................1-99 1.5.4 display saved-configuration...............................................................................................................1-100 1.5.5 display current-configuration.............................................................................................................1-101 1.5.6 display channel...................................................................................................................................1-102 1.5.7 display debugging..............................................................................................................................1-103 1.5.8 display diagnostic-information...........................................................................................................1-103 1.5.9 display environment...........................................................................................................................1-104 1.5.10 display firewall logtime....................................................................................................................1-105 1.5.11 display firewall statistic stream........................................................................................................1-106 1.5.12 display info-center............................................................................................................................1-106 1.5.13 display license..................................................................................................................................1-107 1.5.14 display logbuffer..............................................................................................................................1-108 1.5.15 display patch-information................................................................................................................1-109 1.5.16 display trapbuffer.............................................................................................................................1-110 1.5.17 firewall log stream enable................................................................................................................1-111 1.5.18 firewall log-time...............................................................................................................................1-112 1.5.19 firewall session log-type...................................................................................................................1-113 1.5.20 info-center channel...........................................................................................................................1-114 1.5.21 info-center console channel..............................................................................................................1-115 1.5.22 info-center enable.............................................................................................................................1-115 1.5.23 info-center logbuffer........................................................................................................................1-116 1.5.24 info-center loghost............................................................................................................................1-117 1.5.25 info-center loghost source................................................................................................................1-118 1.5.26 info-center loghost type....................................................................................................................1-119 1.5.27 info-center monitor channel.............................................................................................................1-120 1.5.28 info-center snmp channel.................................................................................................................1-121 1.5.29 info-center source.............................................................................................................................1-121 1.5.30 info-center timestamp.......................................................................................................................1-124 1.5.31 info-center trapbuffer.......................................................................................................................1-125 1.5.32 license file........................................................................................................................................1-126 1.5.33 patch.................................................................................................................................................1-127 1.5.34 ping...................................................................................................................................................1-128 1.5.35 reboot................................................................................................................................................1-130 1.5.36 reset logbuffer..................................................................................................................................1-130 1.5.37 reset saved-configuration.................................................................................................................1-131 1.5.38 reset trapbuffer.................................................................................................................................1-132 1.5.39 save...................................................................................................................................................1-132 1.5.40 service modem-callback...................................................................................................................1-133 1.5.41 session log enable.............................................................................................................................1-134 iv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Contents
1.5.42 startup system-software....................................................................................................................1-135 1.5.43 startup saved-configuration..............................................................................................................1-135 1.5.44 terminal debugging...........................................................................................................................1-136 1.5.45 terminal logging...............................................................................................................................1-137 1.5.46 terminal monitor...............................................................................................................................1-137 1.5.47 terminal trapping..............................................................................................................................1-138 1.5.48 tracert................................................................................................................................................1-139 1.6 Web Management Commands....................................................................................................................1-140 1.6.1 debugging ssl......................................................................................................................................1-140 1.6.2 debugging web-manager....................................................................................................................1-141 1.6.3 display web-manager..........................................................................................................................1-142 1.6.4 web-manager......................................................................................................................................1-143 1.7 NTP Configuration Commands...................................................................................................................1-144 1.7.1 debugging ntp-service........................................................................................................................1-145 1.7.2 display ntp-service sessions...............................................................................................................1-146 1.7.3 display ntp-service status...................................................................................................................1-147 1.7.4 display ntp-service trace.....................................................................................................................1-149 1.7.5 ntp-service access...............................................................................................................................1-149 1.7.6 ntp-service authentication enable.......................................................................................................1-151 1.7.7 ntp-service authentication-keyid........................................................................................................1-151 1.7.8 ntp-service broadcast-client................................................................................................................1-152 1.7.9 ntp-service broadcast-server...............................................................................................................1-153 1.7.10 ntp-service in-interface disable........................................................................................................1-154 1.7.11 ntp-service max-dynamic-sessions...................................................................................................1-155 1.7.12 ntp-service multicast-client..............................................................................................................1-155 1.7.13 ntp-service multicast-server.............................................................................................................1-156 1.7.14 ntp-service refclock-master..............................................................................................................1-157 1.7.15 ntp-service reliable authentication-keyid.........................................................................................1-158 1.7.16 ntp-service source-interface.............................................................................................................1-159 1.7.17 ntp-service unicast-peer....................................................................................................................1-160 1.7.18 ntp-service unicast-server.................................................................................................................1-161 1.8 SNMP Configuration Commands...............................................................................................................1-162 1.8.1 debugging snmp-agent.......................................................................................................................1-163 1.8.2 display snmp-agent.............................................................................................................................1-164 1.8.3 display snmp-agent community.........................................................................................................1-164 1.8.4 display snmp-agent group..................................................................................................................1-165 1.8.5 display snmp-agent mib-view............................................................................................................1-166 1.8.6 display snmp-agent statistics..............................................................................................................1-167 1.8.7 display snmp-agent sys-info...............................................................................................................1-169 1.8.8 display snmp-agent usm-user.............................................................................................................1-170 1.8.9 enable snmp trap updown...................................................................................................................1-171 1.8.10 snmp-agent.......................................................................................................................................1-172 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 1.8.11 snmp-agent community....................................................................................................................1-173 1.8.12 snmp-agent group.............................................................................................................................1-174 1.8.13 snmp-agent local-engineid...............................................................................................................1-175 1.8.14 snmp-agent mib-view.......................................................................................................................1-176 1.8.15 snmp-agent packet max-size............................................................................................................1-177 1.8.16 snmp-agent sys-info.........................................................................................................................1-177 1.8.17 snmp-agent target-host.....................................................................................................................1-178 1.8.18 snmp-agent trap enable.....................................................................................................................1-180 1.8.19 snmp-agent trap life..........................................................................................................................1-181 1.8.20 snmp-agent trap queue-size..............................................................................................................1-181 1.8.21 snmp-agent trap source.....................................................................................................................1-182 1.8.22 snmp-agent usm-user........................................................................................................................1-183
2 Internetworking..........................................................................................................................2-1
2.1 Interface Management Commands..................................................................................................................2-2 2.1.1 description..............................................................................................................................................2-2 2.1.2 display interface..................................................................................................................................... 2-3 2.1.3 display ip interface.................................................................................................................................2-6 2.1.4 interface..................................................................................................................................................2-9 2.1.5 ip binding..............................................................................................................................................2-10 2.1.6 reset counters interface.........................................................................................................................2-11 2.1.7 shutdown (Interface View)...................................................................................................................2-12 2.1.8 firewall fifo enable...............................................................................................................................2-12 2.1.9 firewall packet-capture.........................................................................................................................2-13 2.1.10 firewall packet-capture startup...........................................................................................................2-14 2.1.11 firewall packet-capture send...............................................................................................................2-15 2.1.12 display firewall packet-capture..........................................................................................................2-16 2.2 Ethernet Interface Configuration Commands................................................................................................2-16 2.2.1 debugging ethernet packet....................................................................................................................2-17 2.2.2 display interface...................................................................................................................................2-18 2.2.3 duplex...................................................................................................................................................2-21 2.2.4 loopback...............................................................................................................................................2-22 2.2.5 mtu........................................................................................................................................................2-23 2.2.6 portswitch.............................................................................................................................................2-24 2.2.7 speed.....................................................................................................................................................2-25 2.2.8 distribute-weight...................................................................................................................................2-25 2.3 Basic Logical Interface Configuration Commands.......................................................................................2-26 2.3.1 broadcast-limit link..............................................................................................................................2-26 2.3.2 display interface null............................................................................................................................2-27 2.3.3 display interface tunnel........................................................................................................................2-28 2.3.4 display interface virtual-template.........................................................................................................2-30 2.3.5 eth-trunk...............................................................................................................................................2-32 2.3.6 interface (Logic Interface View)..........................................................................................................2-33 vi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Contents
2.3.7 interface eth-trunk................................................................................................................................2-34 2.3.8 load-balance (Trunk interface view)....................................................................................................2-35 2.3.9 display trunkfwdtbl..............................................................................................................................2-36 2.3.10 display trunkmembership...................................................................................................................2-37 2.3.11 least active-linknumber......................................................................................................................2-37 2.3.12 max bandwidth-affected-linknumber.................................................................................................2-38 2.4 VLAN Configuration Commands.................................................................................................................2-39 2.4.1 display interface vlanif.........................................................................................................................2-39 2.4.2 display vlan..........................................................................................................................................2-41 2.4.3 display vlan interface...........................................................................................................................2-42 2.4.4 interface vlanif......................................................................................................................................2-42 2.4.5 port interface........................................................................................................................................2-43 2.4.6 port default vlan...................................................................................................................................2-44 2.4.7 port trunk allow-pass vlan....................................................................................................................2-45 2.4.8 vlan.......................................................................................................................................................2-46 2.4.9 vlan-type dot1q.....................................................................................................................................2-47 2.5 IP Address Configuration Commands...........................................................................................................2-47 2.5.1 display ip interface...............................................................................................................................2-47 2.5.2 ip address..............................................................................................................................................2-51 2.5.3 ip address unnumbered.........................................................................................................................2-52 2.6 ARP Configuration Commands....................................................................................................................2-53 2.6.1 arp detect-times....................................................................................................................................2-54 2.6.2 arp expire-time.....................................................................................................................................2-54 2.6.3 arp-proxy enable...................................................................................................................................2-55 2.6.4 arp static...............................................................................................................................................2-56 2.6.5 arp multi-mac-permit............................................................................................................................2-57 2.6.6 debugging arp packet...........................................................................................................................2-58 2.6.7 display arp............................................................................................................................................2-58 2.6.8 reset arp................................................................................................................................................2-60 2.7 Static Domain Name Resolution Command.................................................................................................2-61 2.7.1 display ip host.......................................................................................................................................2-61 2.7.2 ip host...................................................................................................................................................2-62 2.8 DHCP Configuration Commands..................................................................................................................2-63 2.8.1 debugging dhcp relay...........................................................................................................................2-65 2.8.2 debugging dhcp server.........................................................................................................................2-65 2.8.3 dhcp enable...........................................................................................................................................2-66 2.8.4 dhcp relay.............................................................................................................................................2-67 2.8.5 dhcp select (Interface View).................................................................................................................2-68 2.8.6 dhcp select (System View)...................................................................................................................2-69 2.8.7 dhcp server detect.................................................................................................................................2-70 2.8.8 dhcp server dns-list (Interface View)...................................................................................................2-70 2.8.9 dhcp server dns-list (System View).....................................................................................................2-71 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 2.8.10 dhcp server domain-name (Interface View).......................................................................................2-72 2.8.11 dhcp server domain-name (System View).........................................................................................2-73 2.8.12 dhcp server expired (Interface View).................................................................................................2-74 2.8.13 dhcp server expired (System View)...................................................................................................2-75 2.8.14 dhcp server forbidden-ip....................................................................................................................2-76 2.8.15 dhcp server ip-pool.............................................................................................................................2-77 2.8.16 dhcp server nbns-list (Interface View)...............................................................................................2-77 2.8.17 dhcp server nbns-list (System View).................................................................................................2-78 2.8.18 dhcp server netbios-type (Interface View).........................................................................................2-79 2.8.19 dhcp server netbios-type (System View)...........................................................................................2-80 2.8.20 dhcp server option (Interface View)...................................................................................................2-81 2.8.21 dhcp server option (System View).....................................................................................................2-82 2.8.22 dhcp server ping.................................................................................................................................2-83 2.8.23 dhcp server static-bind.......................................................................................................................2-84 2.8.24 display dhcp relay address..................................................................................................................2-85 2.8.25 display dhcp relay statistics................................................................................................................2-86 2.8.26 display dhcp server conflict................................................................................................................2-87 2.8.27 display dhcp server expired................................................................................................................2-88 2.8.28 display dhcp server free-ip.................................................................................................................2-89 2.8.29 display dhcp server ip-in-use..............................................................................................................2-90 2.8.30 display dhcp server statistics..............................................................................................................2-91 2.8.31 display dhcp server tree......................................................................................................................2-93 2.8.32 dns-list................................................................................................................................................2-95 2.8.33 domain-name......................................................................................................................................2-96 2.8.34 expired................................................................................................................................................2-97 2.8.35 gateway-list........................................................................................................................................2-98 2.8.36 ip relay address (Interface View).......................................................................................................2-99 2.8.37 ip relay address (System View)........................................................................................................2-100 2.8.38 ip relay address cycle.......................................................................................................................2-101 2.8.39 nbns-list............................................................................................................................................2-101 2.8.40 netbios-type......................................................................................................................................2-102 2.8.41 network (DHCP)..............................................................................................................................2-103 2.8.42 option................................................................................................................................................2-104 2.8.43 reset dhcp relay statistics..................................................................................................................2-105 2.8.44 reset dhcp server conflict..................................................................................................................2-105 2.8.45 reset dhcp server ip-in-use................................................................................................................2-106 2.8.46 reset dhcp server statistics................................................................................................................2-107 2.8.47 static-bind ip-address........................................................................................................................2-108 2.8.48 static-bind mac-address....................................................................................................................2-108
2.9 IP Performance Configuration Commands.................................................................................................2-109 2.9.1 debugging ip.......................................................................................................................................2-110 2.9.2 debugging tcp event...........................................................................................................................2-111 viii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Contents
2.9.3 debugging tcp packet..........................................................................................................................2-112 2.9.4 debugging udp packet.........................................................................................................................2-113 2.9.5 debugging tcp md5.............................................................................................................................2-113 2.9.6 display fib...........................................................................................................................................2-114 2.9.7 display fib I.........................................................................................................................................2-115 2.9.8 display fib acl.....................................................................................................................................2-117 2.9.9 display fib ip-prefix............................................................................................................................2-119 2.9.10 display fib longer..............................................................................................................................2-120 2.9.11 display fib statistics..........................................................................................................................2-122 2.9.12 display icmp statistics.......................................................................................................................2-123 2.9.13 display ip socket...............................................................................................................................2-124 2.9.14 display ip statistics...........................................................................................................................2-126 2.9.15 display tcp statistics..........................................................................................................................2-127 2.9.16 display tcp status..............................................................................................................................2-130 2.9.17 display udp statistics.........................................................................................................................2-131 2.9.18 reset tcp statistics..............................................................................................................................2-133 2.9.19 reset udp statistics.............................................................................................................................2-133 2.9.20 tcp timer fin-timeout.........................................................................................................................2-134 2.9.21 tcp timer syn-timeout.......................................................................................................................2-135 2.9.22 tcp window.......................................................................................................................................2-136 2.10 Routing Table Display Commands...........................................................................................................2-136 2.10.1 display ip routing-table.....................................................................................................................2-137 2.10.2 display ip routing-table (destination range specified)......................................................................2-138 2.10.3 display ip routing-table (destination specified)................................................................................2-139 2.10.4 display ip routing-table acl...............................................................................................................2-140 2.10.5 display ip routing-table ip-prefix......................................................................................................2-142 2.10.6 display ip routing-table protocol......................................................................................................2-143 2.10.7 display ip routing-table radix...........................................................................................................2-144 2.10.8 display ip routing-table statistics......................................................................................................2-145 2.10.9 display ip routing-table verbose.......................................................................................................2-146 2.11 Route Policy Configuration Commands...................................................................................................2-149 2.11.1 apply access-vpn..............................................................................................................................2-150 2.11.2 apply as-path....................................................................................................................................2-150 2.11.3 apply community..............................................................................................................................2-151 2.11.4 apply local-preference......................................................................................................................2-152 2.11.5 apply origin......................................................................................................................................2-153 2.11.6 apply tag...........................................................................................................................................2-153 2.11.7 apply cost..........................................................................................................................................2-154 2.11.8 apply cost-type.................................................................................................................................2-155 2.11.9 display ip as-path-acl........................................................................................................................2-156 2.11.10 display ip community-list...............................................................................................................2-157 2.11.11 display ip ip-prefix.........................................................................................................................2-158 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 2.11.12 display ip policy.............................................................................................................................2-158 2.11.13 display ip policy setup....................................................................................................................2-159 2.11.14 display ip policy statistics..............................................................................................................2-160 2.11.15 display route-policy........................................................................................................................2-161 2.11.16 if-match acl (unicast)......................................................................................................................2-161 2.11.17 if-match as-path..............................................................................................................................2-162 2.11.18 if-match community.......................................................................................................................2-163 2.11.19 if-match cost...................................................................................................................................2-164 2.11.20 if-match interface...........................................................................................................................2-164 2.11.21 if-match ip next-hop.......................................................................................................................2-165 2.11.22 if-match ip-prefix...........................................................................................................................2-166 2.11.23 if-match packet-length....................................................................................................................2-167 2.11.24 if-match tag....................................................................................................................................2-168 2.11.25 ip as-path-acl..................................................................................................................................2-168 2.11.26 ip community-list...........................................................................................................................2-169 2.11.27 ip ip-prefix......................................................................................................................................2-170 2.11.28 ip policy route-policy.....................................................................................................................2-172 2.11.29 ip route-static..................................................................................................................................2-172 2.11.30 route-policy....................................................................................................................................2-174
2.12 RIP Configuration Commands..................................................................................................................2-175 2.12.1 checkzero..........................................................................................................................................2-176 2.12.2 debugging rip....................................................................................................................................2-177 2.12.3 default cost (RIP View)....................................................................................................................2-177 2.12.4 display rip.........................................................................................................................................2-178 2.12.5 filter-policy export (RIP View)........................................................................................................2-179 2.12.6 filter-policy import (RIP View)........................................................................................................2-180 2.12.7 host-route..........................................................................................................................................2-181 2.12.8 import-route (RIP View)..................................................................................................................2-182 2.12.9 ipv4-family.......................................................................................................................................2-183 2.12.10 network (RIP View).......................................................................................................................2-184 2.12.11 peer (RIP View).............................................................................................................................2-185 2.12.12 preference (RIP View)...................................................................................................................2-186 2.12.13 reset................................................................................................................................................2-187 2.12.14 rip...................................................................................................................................................2-187 2.12.15 rip authentication-mode..................................................................................................................2-188 2.12.16 rip input..........................................................................................................................................2-189 2.12.17 rip metricin.....................................................................................................................................2-190 2.12.18 rip metricout...................................................................................................................................2-191 2.12.19 rip output........................................................................................................................................2-192 2.12.20 rip split-horizon..............................................................................................................................2-193 2.12.21 rip version.......................................................................................................................................2-193 2.12.22 rip work..........................................................................................................................................2-194 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Contents
2.12.23 summary.........................................................................................................................................2-195 2.12.24 timers..............................................................................................................................................2-196 2.13 OSPF Configuration Commands...............................................................................................................2-197 2.13.1 abr-summary.....................................................................................................................................2-199 2.13.2 area...................................................................................................................................................2-200 2.13.3 asbr-summary...................................................................................................................................2-200 2.13.4 authentication-mode (OSPF Area View).........................................................................................2-201 2.13.5 debugging ospf.................................................................................................................................2-202 2.13.6 default...............................................................................................................................................2-204 2.13.7 default cost (OSPF View)................................................................................................................2-205 2.13.8 default interval..................................................................................................................................2-206 2.13.9 default limit......................................................................................................................................2-207 2.13.10 default tag.......................................................................................................................................2-208 2.13.11 default type.....................................................................................................................................2-208 2.13.12 default-cost.....................................................................................................................................2-209 2.13.13 default-route-advertise...................................................................................................................2-210 2.13.14 display debugging ospf...................................................................................................................2-211 2.13.15 display ospf abr-asbr......................................................................................................................2-213 2.13.16 display ospf asbr-summary.............................................................................................................2-214 2.13.17 display ospf brief............................................................................................................................2-215 2.13.18 display ospf cumulative..................................................................................................................2-217 2.13.19 display ospf diagnostic-information...............................................................................................2-219 2.13.20 display ospf error............................................................................................................................2-220 2.13.21 display ospf interface.....................................................................................................................2-221 2.13.22 display ospf lsdb.............................................................................................................................2-222 2.13.23 display ospf nexthop.......................................................................................................................2-226 2.13.24 display ospf peer.............................................................................................................................2-226 2.13.25 display ospf peer address................................................................................................................2-228 2.13.26 display ospf peer interface..............................................................................................................2-228 2.13.27 display ospf peer route-id...............................................................................................................2-229 2.13.28 display ospf request-queue.............................................................................................................2-230 2.13.29 display ospf retrans-queue..............................................................................................................2-231 2.13.30 display ospf routing........................................................................................................................2-232 2.13.31 display ospf vlink...........................................................................................................................2-232 2.13.32 filter-policy export (OSPF View)...................................................................................................2-233 2.13.33 filter-policy import (OSPF View)..................................................................................................2-234 2.13.34 import-route (OSPF View).............................................................................................................2-235 2.13.35 network (OSPF Aarea View).........................................................................................................2-236 2.13.36 nssa.................................................................................................................................................2-237 2.13.37 opaque-capbility.............................................................................................................................2-238 2.13.38 ospf.................................................................................................................................................2-239 2.13.39 ospf authentication-mode...............................................................................................................2-240 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 2.13.40 ospf cost..........................................................................................................................................2-241 2.13.41 ospf dr-priority...............................................................................................................................2-242 2.13.42 ospf mib-binding............................................................................................................................2-243 2.13.43 ospf mtu-enable..............................................................................................................................2-244 2.13.44 ospf network-type...........................................................................................................................2-244 2.13.45 ospf timer dead...............................................................................................................................2-246 2.13.46 ospf timer hello...............................................................................................................................2-247 2.13.47 ospf timer poll................................................................................................................................2-247 2.13.48 ospf timer retransmit......................................................................................................................2-248 2.13.49 ospf trans-delay..............................................................................................................................2-249 2.13.50 peer (OSPF View)..........................................................................................................................2-250 2.13.51 preference (OSPF View)................................................................................................................2-251 2.13.52 reset ospf........................................................................................................................................2-252 2.13.53 router id..........................................................................................................................................2-253 2.13.54 silent-interface................................................................................................................................2-254 2.13.55 snmp-agent trap enable ospf...........................................................................................................2-255 2.13.56 spf-schedule-interval......................................................................................................................2-256 2.13.57 stub.................................................................................................................................................2-257 2.13.58 vlink-peer.......................................................................................................................................2-258 2.13.59 vpn-instance-capability simple.......................................................................................................2-259
2.14 PPP Configuration Commands..................................................................................................................2-260 2.14.1 ppp authentication-mode..................................................................................................................2-260 2.14.2 ppp chap password...........................................................................................................................2-261 2.14.3 ppp chap user....................................................................................................................................2-262 2.14.4 ppp ipcp dns.....................................................................................................................................2-262 2.14.5 ppp pap local-user............................................................................................................................2-263 2.14.6 ppp timer negotiate...........................................................................................................................2-264 2.15 BGP Configuration Commands................................................................................................................2-265 2.15.1 aggregate..........................................................................................................................................2-267 2.15.2 balance..............................................................................................................................................2-268 2.15.3 bgp....................................................................................................................................................2-269 2.15.4 compare-different-as-med (BGP).....................................................................................................2-269 2.15.5 confederation id................................................................................................................................2-270 2.15.6 confederation nonstandard...............................................................................................................2-271 2.15.7 confederation peer-as.......................................................................................................................2-272 2.15.8 dampening........................................................................................................................................2-273 2.15.9 debugging bgp..................................................................................................................................2-274 2.15.10 default local-preference..................................................................................................................2-276 2.15.11 default med.....................................................................................................................................2-276 2.15.12 default-route imported....................................................................................................................2-277 2.15.13 display bgp group...........................................................................................................................2-278 2.15.14 display bgp network.......................................................................................................................2-279 xii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Contents
2.15.15 display bgp paths............................................................................................................................2-280 2.15.16 display bgp peer.............................................................................................................................2-281 2.15.17 display bgp routing-table................................................................................................................2-283 2.15.18 display bgp routing-table as-path-acl.............................................................................................2-285 2.15.19 display bgp routing-table cidr........................................................................................................2-286 2.15.20 display bgp routing-table community............................................................................................2-287 2.15.21 display bgp routing-table community-list......................................................................................2-288 2.15.22 display bgp routing-table dampened..............................................................................................2-289 2.15.23 display bgp routing-table different-origin-as.................................................................................2-290 2.15.24 display bgp routing-table flap-info.................................................................................................2-291 2.15.25 display bgp routing-table peer........................................................................................................2-292 2.15.26 display bgp routing-table regular-expression.................................................................................2-293 2.15.27 group (BGP View or VPN-Instance View)....................................................................................2-294 2.15.28 import-route (BGP View)...............................................................................................................2-295 2.15.29 ipv4-family.....................................................................................................................................2-296 2.15.30 network (BGP View)......................................................................................................................2-297 2.15.31 peer advertise-community (BGP)...................................................................................................2-297 2.15.32 peer allow-as-loop (BGP)...............................................................................................................2-298 2.15.33 peer as-number...............................................................................................................................2-299 2.15.34 peer as-path-acl export...................................................................................................................2-300 2.15.35 peer as-path-acl import...................................................................................................................2-301 2.15.36 peer connect-interface (BGP).........................................................................................................2-302 2.15.37 peer default-route-advertise (BGP)................................................................................................2-302 2.15.38 peer description (BGP)...................................................................................................................2-303 2.15.39 peer ebgp-max-hop.........................................................................................................................2-304 2.15.40 peer enable (BGP)..........................................................................................................................2-305 2.15.41 peer filter-policy export (BGP)......................................................................................................2-306 2.15.42 peer filter-policy import (BGP)......................................................................................................2-307 2.15.43 peer group (BGP)...........................................................................................................................2-308 2.15.44 peer ip-prefix export (BGP)...........................................................................................................2-309 2.15.45 peer ip-prefix import (BGP)...........................................................................................................2-310 2.15.46 peer listen-only...............................................................................................................................2-311 2.15.47 peer next-hop-local (BGP).............................................................................................................2-311 2.15.48 peer password.................................................................................................................................2-312 2.15.49 peer public-as-only (BGP).............................................................................................................2-313 2.15.50 peer reflect-client (BGP)................................................................................................................2-314 2.15.51 peer route-policy export (BGP)......................................................................................................2-315 2.15.52 peer route-policy import (BGP).....................................................................................................2-316 2.15.53 peer route-update-interval (BGP)...................................................................................................2-316 2.15.54 peer timer........................................................................................................................................2-317 2.15.55 preference (BGP)............................................................................................................................2-318 2.15.56 reflect between-clients (BGP)........................................................................................................2-319 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xiii
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 2.15.57 reflector cluster-id (BGP)...............................................................................................................2-320 2.15.58 refresh bgp......................................................................................................................................2-321 2.15.59 reset bgp.........................................................................................................................................2-322 2.15.60 reset bgp dampening.......................................................................................................................2-322 2.15.61 reset bgp flap-info..........................................................................................................................2-323 2.15.62 reset bgp group...............................................................................................................................2-324 2.15.63 summary automatic (BGP).............................................................................................................2-325 2.15.64 timer keepalive hold (BGP)............................................................................................................2-325
2.16 Policy Routing Configuration Commands................................................................................................2-326 2.16.1 traffic classifier.................................................................................................................................2-327 2.16.2 if-match acl (Traffic Classifier View)..............................................................................................2-327 2.16.3 traffic behavior.................................................................................................................................2-328 2.16.4 remark ip-nexthop............................................................................................................................2-329 2.16.5 qos policy.........................................................................................................................................2-330 2.16.6 classifier behavior............................................................................................................................2-330 2.16.7 qos apply policy...............................................................................................................................2-331 2.16.8 display qos policy.............................................................................................................................2-332 2.16.9 display traffic behavior.....................................................................................................................2-333 2.16.10 display traffic classifier..................................................................................................................2-333 2.17 QoS Configuration Commands.................................................................................................................2-334 2.17.1 car.....................................................................................................................................................2-335 2.17.2 classifier behavior............................................................................................................................2-336 2.17.3 display qos policy.............................................................................................................................2-336 2.17.4 display traffic behavior.....................................................................................................................2-337 2.17.5 display traffic classifier....................................................................................................................2-338 2.17.6 firewall car-class..............................................................................................................................2-339 2.17.7 firewall conn-class............................................................................................................................2-339 2.17.8 if-match acl (Traffic Classifier View)..............................................................................................2-340 2.17.9 qos apply policy...............................................................................................................................2-341 2.17.10 qos policy.......................................................................................................................................2-342 2.17.11 traffic behavior...............................................................................................................................2-342 2.17.12 traffic classifier...............................................................................................................................2-343
3 Security Defense.........................................................................................................................3-1
3.1 VPN-instance Configuration Commands........................................................................................................3-3 3.1.1 display ip vpn-instance...........................................................................................................................3-3 3.1.2 ip vpn-instance.......................................................................................................................................3-4 3.1.3 route-distinguisher..................................................................................................................................3-5 3.1.4 routing-table limit...................................................................................................................................3-6 3.2 ACL Configuration Commands......................................................................................................................3-7 3.2.1 acl accelerate enable...............................................................................................................................3-7 3.2.2 acl (System View)..................................................................................................................................3-8 3.2.3 address....................................................................................................................................................3-9 xiv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Contents
3.2.4 description............................................................................................................................................3-10 3.2.5 display acl.............................................................................................................................................3-11 3.2.6 display ip address-set...........................................................................................................................3-12 3.2.7 display ip port-set.................................................................................................................................3-14 3.2.8 display time-range................................................................................................................................3-15 3.2.9 ip address-set........................................................................................................................................3-17 3.2.10 ip port-set............................................................................................................................................3-18 3.2.11 port.....................................................................................................................................................3-19 3.2.12 rule......................................................................................................................................................3-20 3.2.13 step.....................................................................................................................................................3-23 3.2.14 time-range...........................................................................................................................................3-24 3.3 Security Zone Configuration Commands......................................................................................................3-25 3.3.1 add interface (Security Zone View).....................................................................................................3-25 3.3.2 display interzone..................................................................................................................................3-26 3.3.3 display zone..........................................................................................................................................3-27 3.3.4 firewall interzone..................................................................................................................................3-28 3.3.5 firewall zone.........................................................................................................................................3-29 3.3.6 set priority............................................................................................................................................3-30 3.4 Session Configuration Commands................................................................................................................3-31 3.4.1 display firewall session........................................................................................................................3-31 3.4.2 firewall fragment-forward enable.........................................................................................................3-33 3.4.3 firewall fragment-cache enable............................................................................................................3-34 3.4.4 firewall fragment-cache aging-time.....................................................................................................3-35 3.4.5 firewall long-link..................................................................................................................................3-35 3.4.6 firewall long-link aging-time...............................................................................................................3-36 3.4.7 firewall session aging-time...................................................................................................................3-37 3.4.8 reset firewall session table....................................................................................................................3-39 3.5 Packet Filter Configuration Commands........................................................................................................3-40 3.5.1 display firewall packet-filter default....................................................................................................3-41 3.5.2 firewall packet-filter default.................................................................................................................3-42 3.5.3 packet-filter..........................................................................................................................................3-43 3.6 Attack Defense and Packet Statistics Configuration Commands..................................................................3-43 3.6.1 debugging firewall defend tcp-illeage-session.....................................................................................3-45 3.6.2 display firewall defend flag..................................................................................................................3-46 3.6.3 display firewall statistic........................................................................................................................3-46 3.6.4 display firewall statistic stream............................................................................................................3-47 3.6.5 firewall defend all enable.....................................................................................................................3-48 3.6.6 firewall defend arp-flood......................................................................................................................3-49 3.6.7 firewall defend arp-flood enable..........................................................................................................3-50 3.6.8 firewall defend ddos.............................................................................................................................3-51 3.6.9 firewall defend fraggle enable..............................................................................................................3-52 3.6.10 firewall defend icmp-flood.................................................................................................................3-53 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xv
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 3.6.11 firewall defend icmp-flood enable.....................................................................................................3-54 3.6.12 firewall defend icmp-redirect enable..................................................................................................3-55 3.6.13 firewall defend icmp-unreachable enable...........................................................................................3-56 3.6.14 firewall defend ip-fragment enable.................................................................................................... 3-57 3.6.15 firewall defend ip-spoofing enable.....................................................................................................3-57 3.6.16 firewall defend ip-sweep....................................................................................................................3-58 3.6.17 firewall defend ip-sweep enable.........................................................................................................3-59 3.6.18 firewall defend land enable................................................................................................................ 3-60 3.6.19 firewall defend large-icmp................................................................................................................. 3-60 3.6.20 firewall defend large-icmp enable......................................................................................................3-61 3.6.21 firewall defend log-time.....................................................................................................................3-62 3.6.22 firewall defend ping-of-death enable................................................................................................. 3-63 3.6.23 firewall defend port-scan....................................................................................................................3-63 3.6.24 firewall defend port-scan enable........................................................................................................ 3-64 3.6.25 firewall defend route-record enable................................................................................................... 3-65 3.6.26 firewall defend smurf enable..............................................................................................................3-66 3.6.27 firewall defend source-route enable...................................................................................................3-66 3.6.28 firewall defend syn-flood...................................................................................................................3-67 3.6.29 firewall defend syn-flood enable........................................................................................................3-69 3.6.30 firewall defend tcp-flag enable...........................................................................................................3-70 3.6.31 firewall defend teardrop enable..........................................................................................................3-70 3.6.32 firewall defend time-stamp enable.....................................................................................................3-71 3.6.33 firewall defend tracert enable.............................................................................................................3-72 3.6.34 firewall defend udp-flood...................................................................................................................3-72 3.6.35 firewall defend udp-flood enable....................................................................................................... 3-74 3.6.36 firewall defend dns-flood enable........................................................................................................3-75 3.6.37 firewall defend dns-flood...................................................................................................................3-76 3.6.38 firewall defend get-flood enable.........................................................................................................3-78 3.6.39 firewall defend get-flood....................................................................................................................3-78 3.6.40 firewall defend get-flood uriblock......................................................................................................3-80 3.6.41 firewall defend get-flood blacklist-timeout........................................................................................3-81 3.6.42 firewall defend tcp-illeage-session enable......................................................................................... 3-81 3.6.43 firewall defend tcp-illeage-session blacklist-timeout.........................................................................3-82 3.6.44 firewall defend tcp-illeage-session number........................................................................................3-83 3.6.45 firewall defend tcp-illeage-session packet......................................................................................... 3-84 3.6.46 firewall defend winnuke enable......................................................................................................... 3-85 3.6.47 firewall source-ip detect aging-time...................................................................................................3-86 3.6.48 firewall statistic system connect-number...........................................................................................3-86 3.6.49 firewall statistic system enable...........................................................................................................3-88 3.6.50 statistic car ip......................................................................................................................................3-88 3.6.51 statistic connect-number.....................................................................................................................3-89 3.6.52 statistic ip-stat.....................................................................................................................................3-91
xvi
Issue 03 (2009-06-18)
Contents
3.6.53 statistic enable....................................................................................................................................3-92 3.7 ASPF Configuration Commands...................................................................................................................3-93 3.7.1 aspf packet-filter...................................................................................................................................3-93 3.7.2 debugging e1000-aspf..........................................................................................................................3-94 3.7.3 detect....................................................................................................................................................3-95 3.7.4 detect user-define.................................................................................................................................3-95 3.7.5 display firewall servermap...................................................................................................................3-96 3.8 Blacklist Configuration Commands..............................................................................................................3-97 3.8.1 display firewall blacklist......................................................................................................................3-97 3.8.2 firewall blacklist aging-time.................................................................................................................3-99 3.8.3 firewall blacklist.................................................................................................................................3-100 3.8.4 firewall blacklist enable.....................................................................................................................3-100 3.8.5 firewall blacklist item.........................................................................................................................3-101 3.9 MAC and IP Address binding Configuration Commands..........................................................................3-102 3.9.1 display firewall mac-binding..............................................................................................................3-102 3.9.2 firewall mac-binding..........................................................................................................................3-103 3.10 Port Mapping Configuration Commands..................................................................................................3-104 3.10.1 display port-mapping........................................................................................................................3-104 3.10.2 port-mapping....................................................................................................................................3-105 3.11 NAT Configuration Commands................................................................................................................3-106 3.11.1 destination-nat..................................................................................................................................3-106 3.11.2 display nat........................................................................................................................................3-107 3.11.3 nat.....................................................................................................................................................3-108 3.11.4 nat (Zone view)................................................................................................................................3-109 3.11.5 nat address-group.............................................................................................................................3-110 3.11.6 nat arp-gratuitous send.....................................................................................................................3-111 3.11.7 nat server..........................................................................................................................................3-112 3.12 Static Multicast Configuration Commands...............................................................................................3-113 3.12.1 add interface (Static multicast interface set view)............................................................................3-114 3.12.2 display multicast interface-set..........................................................................................................3-114 3.12.3 display multicast route-table static...................................................................................................3-115 3.12.4 multicast interface-set......................................................................................................................3-116 3.12.5 multicast route-table static source....................................................................................................3-116 3.13 Content Filtering Configuration Commands.............................................................................................3-118 3.13.1 add....................................................................................................................................................3-118 3.13.2 deep-inspection group......................................................................................................................3-119 3.13.3 display deep-inspection....................................................................................................................3-119 3.13.4 firewall deep-inspection...................................................................................................................3-120 3.14 GTP Configuration Commands.................................................................................................................3-121 3.14.1 acl.....................................................................................................................................................3-122 3.14.2 debugging gtp...................................................................................................................................3-123 3.14.3 debugging gtp safebill......................................................................................................................3-124 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xvii
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 3.14.4 display firewall gtp mcc...................................................................................................................3-125 3.14.5 display firewall gtp policy................................................................................................................3-125 3.14.6 display firewall gtp safebill..............................................................................................................3-126 3.14.7 display firewall gtp statistics............................................................................................................3-127 3.14.8 display firewall gtp tunnel................................................................................................................3-130 3.14.9 filter message-type...........................................................................................................................3-131 3.14.10 firewall gtp aging-time...................................................................................................................3-135 3.14.11 firewall gtp gtpingtp-deny enable..................................................................................................3-135 3.14.12 firewall gtp limit.............................................................................................................................3-136 3.14.13 firewall gtp mcc..............................................................................................................................3-137 3.14.14 firewall gtp state-check enable.......................................................................................................3-138 3.14.15 firewall gtp statistics enable...........................................................................................................3-139 3.14.16 firewall gtp safebill location...........................................................................................................3-139 3.14.17 firewall gtp safebill id....................................................................................................................3-140 3.14.18 firewall gtp safebill enable.............................................................................................................3-141 3.14.19 firewall gtp safebill serverip...........................................................................................................3-142 3.14.20 firewall gtp tunnel-log enable........................................................................................................3-142 3.14.21 gtp...................................................................................................................................................3-143 3.14.22 gtp policy........................................................................................................................................3-144 3.14.23 ie-confirm enable............................................................................................................................3-145 3.14.24 message length enable....................................................................................................................3-148 3.14.25 reset firewall gtp statistics..............................................................................................................3-149 3.14.26 reset firewall gtp tunnel all.............................................................................................................3-149 3.14.27 reset rule counter............................................................................................................................3-150 3.14.28 rule (ACL configuration view for GTP policy).............................................................................3-151 3.14.29 step (ACL configuration view for GTP policy).............................................................................3-152
3.15 IDS Cooperation Configuration Commands.............................................................................................3-153 3.15.1 debugging firewall ids......................................................................................................................3-153 3.15.2 display firewall ids...........................................................................................................................3-154 3.15.3 firewall ids authentication type........................................................................................................3-155 3.15.4 firewall ids enable............................................................................................................................3-156 3.15.5 firewall ids port................................................................................................................................3-156 3.15.6 firewall ids server.............................................................................................................................3-157 3.16 AAA Configuration Commands................................................................................................................3-158 3.16.1 aaa.....................................................................................................................................................3-158 3.16.2 accounting-scheme (AAA View).....................................................................................................3-159 3.16.3 accounting-mode..............................................................................................................................3-160 3.16.4 authentication-mode (Authentication Scheme View)......................................................................3-161 3.16.5 authentication-scheme (AAA View)................................................................................................3-161 3.16.6 display aaa configuration.................................................................................................................3-162 3.16.7 display authentication-scheme.........................................................................................................3-163 3.16.8 display ip pool..................................................................................................................................3-164 xviii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Contents
3.16.9 display recording-scheme.................................................................................................................3-165 3.16.10 ip address ppp-negotiate.................................................................................................................3-166 3.16.11 ip pool.............................................................................................................................................3-166 3.16.12 recording-mode..............................................................................................................................3-167 3.16.13 recording-scheme...........................................................................................................................3-168 3.16.14 remote address................................................................................................................................3-169 3.17 RADIUS Server Configuration Commands..............................................................................................3-170 3.17.1 debugging radius..............................................................................................................................3-171 3.17.2 display radius-server configuration..................................................................................................3-171 3.17.3 radius-server accounting..................................................................................................................3-172 3.17.4 radius-server accounting-stop-packet resend...................................................................................3-173 3.17.5 radius-server authentication.............................................................................................................3-174 3.17.6 radius-server nas-port-format...........................................................................................................3-175 3.17.7 radius-server nas-port-id-format.......................................................................................................3-176 3.17.8 radius-server retransmit....................................................................................................................3-177 3.17.9 radius-server shared-key..................................................................................................................3-178 3.17.10 radius-server template....................................................................................................................3-178 3.17.11 radius-server timeout......................................................................................................................3-179 3.17.12 radius-server traffic-unit.................................................................................................................3-180 3.17.13 radius-server type...........................................................................................................................3-181 3.17.14 radius-server user-name domain-included.....................................................................................3-181 3.18 HWTACACS Server Configuration Commands......................................................................................3-182 3.18.1 debugging hwtacacs.........................................................................................................................3-183 3.18.2 display hwtacacs-server accounting-stop-packet.............................................................................3-184 3.18.3 display hwtacacs-server template.....................................................................................................3-184 3.18.4 hwtacacs-server accounting..............................................................................................................3-185 3.18.5 hwtacacs-server accounting-stop-packet..........................................................................................3-186 3.18.6 hwtacacs-server authentication.........................................................................................................3-187 3.18.7 hwtacacs-server authorization..........................................................................................................3-188 3.18.8 hwtacacs-server shared-key..............................................................................................................3-189 3.18.9 hwtacacs-server source-ip................................................................................................................3-189 3.18.10 hwtacacs-server template...............................................................................................................3-190 3.18.11 hwtacacs-server timer quiet............................................................................................................3-191 3.18.12 hwtacacs-server timer response-timeout........................................................................................3-192 3.18.13 hwtacacs-server traffic-unit............................................................................................................3-192 3.18.14 hwtacacs-server user-name domain-included................................................................................3-193 3.18.15 reset hwtacacs-server accounting-stop-packet...............................................................................3-194 3.18.16 reset hwtacacs-server statistics.......................................................................................................3-195 3.19 Domain Configuration Commands...........................................................................................................3-195 3.19.1 access-limit.......................................................................................................................................3-196 3.19.2 accounting-scheme (AAA Domain View).......................................................................................3-197 3.19.3 acl-number........................................................................................................................................3-198 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xix
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 3.19.4 authentication-scheme (AAA Domain View)..................................................................................3-198 3.19.5 authorization-mode...........................................................................................................................3-199 3.19.6 authorization-scheme (AAA Domain View)....................................................................................3-200 3.19.7 binding virtual-template...................................................................................................................3-201 3.19.8 display domain.................................................................................................................................3-202 3.19.9 dns....................................................................................................................................................3-203 3.19.10 domain............................................................................................................................................3-203 3.19.11 hwtacacs-server (AAA Domain View)..........................................................................................3-204 3.19.12 idle-cut............................................................................................................................................3-205 3.19.13 nbns................................................................................................................................................3-206 3.19.14 radius-server...................................................................................................................................3-207 3.19.15 state (AAA Domain View).............................................................................................................3-208 3.19.16 user-car (AAA Domain View).......................................................................................................3-208 3.19.17 user-priority....................................................................................................................................3-209
3.20 Local User Configuration Commands.......................................................................................................3-210 3.20.1 cut access-user (AAA View)............................................................................................................3-211 3.20.2 display access-user...........................................................................................................................3-212 3.20.3 display local-user..............................................................................................................................3-214 3.20.4 local-user access-limit......................................................................................................................3-215 3.20.5 local-user ftp-directory.....................................................................................................................3-216 3.20.6 local-user idle-cut.............................................................................................................................3-216 3.20.7 local-user l2tp-ip..............................................................................................................................3-217 3.20.8 local-user level.................................................................................................................................3-218 3.20.9 local-user password..........................................................................................................................3-219 3.20.10 local-user service-type....................................................................................................................3-220 3.20.11 local-user state................................................................................................................................3-221 3.20.12 local-user vpn-instance...................................................................................................................3-221 3.20.13 vlan-batch user access-limit...........................................................................................................3-222 3.20.14 vlan-batch user acl-number............................................................................................................3-223 3.20.15 vlan-batch user idle-cut..................................................................................................................3-224 3.20.16 vlan-batch user interface................................................................................................................3-225 3.20.17 vlan-batch user service-type...........................................................................................................3-227 3.20.18 vlan-batch user state.......................................................................................................................3-228 3.21 L2TP Configuration Commands...............................................................................................................3-229 3.21.1 allow l2tp..........................................................................................................................................3-229 3.21.2 pppoe-server bind virtual-template..................................................................................................3-231 3.21.3 debugging l2tp..................................................................................................................................3-231 3.21.4 display l2tp session...........................................................................................................................3-232 3.21.5 display l2tp tunnel............................................................................................................................3-233 3.21.6 interface virtual-template.................................................................................................................3-234 3.21.7 l2tp domain suffix-separator............................................................................................................3-235 3.21.8 l2tp enable........................................................................................................................................3-236 xx Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Contents
3.21.9 l2tp up-down log enable...................................................................................................................3-236 3.21.10 l2tp-group.......................................................................................................................................3-237 3.21.11 mandatory-chap..............................................................................................................................3-238 3.21.12 mandatory-lcp.................................................................................................................................3-239 3.21.13 reset l2tp tunnel local-id.................................................................................................................3-240 3.21.14 reset l2tp tunnel peer-name............................................................................................................3-240 3.21.15 start l2tp..........................................................................................................................................3-241 3.21.16 timer hold.......................................................................................................................................3-242 3.21.17 tunnel authentication......................................................................................................................3-243 3.21.18 tunnel avp-hidden...........................................................................................................................3-244 3.21.19 tunnel name....................................................................................................................................3-244 3.21.20 tunnel password..............................................................................................................................3-245 3.21.21 tunnel timer hello...........................................................................................................................3-246 3.22 GRE Configuration Commands................................................................................................................3-247 3.22.1 debugging tunnel..............................................................................................................................3-247 3.22.2 destination........................................................................................................................................3-248 3.22.3 display interface tunnel....................................................................................................................3-249 3.22.4 gre checksum....................................................................................................................................3-250 3.22.5 gre key..............................................................................................................................................3-251 3.22.6 interface tunnel.................................................................................................................................3-252 3.22.7 source...............................................................................................................................................3-253 3.22.8 tunnel-protocol gre...........................................................................................................................3-254 3.23 IPSec Configuration Commands...............................................................................................................3-255 3.23.1 ah authentication-algorithm..............................................................................................................3-257 3.23.2 authentication-algorithm..................................................................................................................3-257 3.23.3 authentication-method......................................................................................................................3-258 3.23.4 debugging ike...................................................................................................................................3-259 3.23.5 debugging ikev2...............................................................................................................................3-260 3.23.6 debugging ipsec................................................................................................................................3-261 3.23.7 dh......................................................................................................................................................3-262 3.23.8 display ike peer.................................................................................................................................3-263 3.23.9 display ike proposal..........................................................................................................................3-264 3.23.10 display ike sa..................................................................................................................................3-265 3.23.11 display ipsec policy........................................................................................................................3-266 3.23.12 display ipsec policy-template.........................................................................................................3-269 3.23.13 display ipsec proposal....................................................................................................................3-270 3.23.14 display ipsec sa...............................................................................................................................3-272 3.23.15 display ipsec statistics....................................................................................................................3-275 3.23.16 encapsulation-mode........................................................................................................................3-276 3.23.17 encryption-algorithm......................................................................................................................3-277 3.23.18 esp authentication-algorithm..........................................................................................................3-278 3.23.19 esp encryption-algorithm................................................................................................................3-279 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xxi
Contents
Quidway Eudemon 1000E Unified Security Gateway Command Reference 3.23.20 exchange-mode...............................................................................................................................3-280 3.23.21 ........................................................................................................................................................3-281 3.23.22 ike local-name................................................................................................................................3-282 3.23.23 ike peer...........................................................................................................................................3-283 3.23.24 ike proposal....................................................................................................................................3-284 3.23.25 ike sa keepalive-timer interval.......................................................................................................3-285 3.23.26 ike sa keepalive-timer timeout.......................................................................................................3-286 3.23.27 ike sa nat-keepalive-timer interval.................................................................................................3-287 3.23.28 ike-peer...........................................................................................................................................3-288 3.23.29 ike-proposal....................................................................................................................................3-288 3.23.30 integrity-algorithm.........................................................................................................................3-289 3.23.31 ipsec pre-check enable....................................................................................................................3-290 3.23.32 ipsec succeed-check enable............................................................................................................3-291 3.23.33 ipsec policy (Interface View).........................................................................................................3-292 3.23.34 ipsec policy (System View)............................................................................................................3-292 3.23.35 ipsec policy-template......................................................................................................................3-294 3.23.36 ipsec proposal.................................................................................................................................3-295 3.23.37 ipsec sa global-duration..................................................................................................................3-296 3.23.38 local-address...................................................................................................................................3-297 3.23.39 local-id-type...................................................................................................................................3-298 3.23.40 nat traversal....................................................................................................................................3-299 3.23.41 pfs...................................................................................................................................................3-300 3.23.42 pre-shared-key................................................................................................................................3-300 3.23.43 proposal..........................................................................................................................................3-301 3.23.44 remote-address...............................................................................................................................3-302 3.23.45 remote-name...................................................................................................................................3-303 3.23.46 reset ike sa......................................................................................................................................3-304 3.23.47 reset ipsec sa...................................................................................................................................3-305 3.23.48 reset ipsec statistics........................................................................................................................3-306 3.23.49 sa authentication-hex......................................................................................................................3-307 3.23.50 sa binding (IPSec Policy View in manual mode)...........................................................................3-308 3.23.51 sa binding (IKE Peer View)...........................................................................................................3-309 3.23.52 sa duration (IKE Proposal View)...................................................................................................3-310 3.23.53 sa duration (IPSec Policy View or IPSec Policy Template View).................................................3-311 3.23.54 sa encryption-hex...........................................................................................................................3-312 3.23.55 sa reauth duration...........................................................................................................................3-313 3.23.56 sa spi...............................................................................................................................................3-314 3.23.57 sa string-key...................................................................................................................................3-315 3.23.58 security acl......................................................................................................................................3-317 3.23.59 speed-limit......................................................................................................................................3-318 3.23.60 transform........................................................................................................................................3-318 3.23.61 tunnel local.....................................................................................................................................3-320
xxii
Issue 03 (2009-06-18)
Contents
3.23.62 tunnel remote..................................................................................................................................3-321 3.23.63 version............................................................................................................................................3-321 3.24 P2P Traffic Limiting Configuration Commands.......................................................................................3-322 3.24.1 cir......................................................................................................................................................3-323 3.24.2 cir default..........................................................................................................................................3-324 3.24.3 debugging firewall p2p-car..............................................................................................................3-324 3.24.4 display p2p-car class........................................................................................................................3-325 3.24.5 display dpi pattern-file.....................................................................................................................3-327 3.24.6 display p2p-car statistic class...........................................................................................................3-328 3.24.7 display p2p-car statistic protocol......................................................................................................3-329 3.24.8 display p2p-car statistic relation-table..............................................................................................3-331 3.24.9 firewall p2p-car default-permit........................................................................................................3-331 3.24.10 firewall p2p-car include.................................................................................................................3-332 3.24.11 firewall dpi pattern-file active........................................................................................................3-333 3.24.12 firewall p2p-car relation-table aging-time......................................................................................3-334 3.24.13 firewall p2p-detect behavior enable...............................................................................................3-335 3.24.14 firewall p2p-detect default-permit..................................................................................................3-335 3.24.15 firewall dpi packet-number............................................................................................................3-336 3.24.16 p2p-car............................................................................................................................................3-337 3.24.17 p2p-class.........................................................................................................................................3-338 3.24.18 p2p-detect enable............................................................................................................................3-339 3.24.19 p2p-detect mode.............................................................................................................................3-340 3.24.20 reset p2p-car statistic......................................................................................................................3-341 3.24.21 undo cir index.................................................................................................................................3-341 3.25 Secospace Cooperation Configuration Commands...................................................................................3-342 3.25.1 cut access-user (Secospace Cooperation Configuration View)........................................................3-342 3.25.2 debugging right-manager.................................................................................................................3-343 3.25.3 default acl 3099................................................................................................................................3-345 3.25.4 display right-manager online-users..................................................................................................3-346 3.25.5 display right-manager role-id rule....................................................................................................3-347 3.25.6 display right-manager role-info........................................................................................................3-348 3.25.7 display right-manager server-group.................................................................................................3-349 3.25.8 display right-manager statistics........................................................................................................3-351 3.25.9 right-manager authentication............................................................................................................3-352 3.25.10 right-manager server-group active-minimum................................................................................3-353 3.25.11 right-manager server-group............................................................................................................3-353 3.25.12 right-manager server-group enable................................................................................................3-354 3.25.13 right-manager status-detect enable.................................................................................................3-355 3.25.14 right-manager user user-name ip roles...........................................................................................3-356 3.25.15 server ip..........................................................................................................................................3-357 3.25.16 sync role-info..................................................................................................................................3-358
4 Reliability....................................................................................................................................4-1
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xxiii
Contents
4.1 VRRP Backup Group Configuration Commands...........................................................................................4-2 4.1.1 debugging vrrp.......................................................................................................................................4-2 4.1.2 debugging vrrp-group.............................................................................................................................4-3 4.1.3 display ip-link.........................................................................................................................................4-4 4.1.4 display link-group..................................................................................................................................4-4 4.1.5 display vrrp.............................................................................................................................................4-5 4.1.6 firewall composite-hrp permit-backupforward......................................................................................4-6 4.1.7 ip-link.....................................................................................................................................................4-7 4.1.8 ip-link check enable...............................................................................................................................4-8 4.1.9 link-group...............................................................................................................................................4-9 4.1.10 vrrp authentication-mode.....................................................................................................................4-9 4.1.11 vrrp un-check ttl.................................................................................................................................4-10 4.1.12 vrrp vrid timer advertise.....................................................................................................................4-11 4.1.13 vrrp vrid virtual-ip..............................................................................................................................4-12 4.1.14 vrrp vrid ip-link..................................................................................................................................4-13 4.1.15 vrrp virtual-mac enable......................................................................................................................4-14 4.2 HRP Configuration Commands....................................................................................................................4-15 4.2.1 debugging hrp.......................................................................................................................................4-15 4.2.2 debugging hrp configuration check......................................................................................................4-16 4.2.3 display hrp............................................................................................................................................4-17 4.2.4 hrp auto-sync........................................................................................................................................4-17 4.2.5 hrp enable.............................................................................................................................................4-18 4.2.6 hrp ospf-cost adjust-enable...................................................................................................................4-19 4.2.7 hrp sync................................................................................................................................................4-20 4.2.8 hrp interface..........................................................................................................................................4-21 4.2.9 hrp mirror session enable.....................................................................................................................4-22 4.2.10 hrp configuration check......................................................................................................................4-22 4.2.11 hrp timer hello....................................................................................................................................4-23 4.2.12 hrp preempt delay...............................................................................................................................4-24 4.2.13 hrp track..............................................................................................................................................4-25
xxiv
Issue 03 (2009-06-18)
Tables
Tables
Table 1-1 Views provided by the command line..................................................................................................1-4 Table 1-2 Description of the display users command output............................................................................1-31 Table 1-3 Description of the display firewall transparent-mode address-table command output................1-56 Table 1-4 Description of the display logbuffer command output...................................................................1-109 Table 1-5 Definition of eight information levels..............................................................................................1-122 Table 1-6 Definition of the default information channel for each output direction.........................................1-123 Table 1-7 Description of the display ntp-service sessions command output.................................................1-147 Table 1-8 Description of the display ntp-service status command output.....................................................1-148 Table 1-9 Description of the display snmp-agent group command output...................................................1-166 Table 1-10 Description of the display snmp-agent mib-view command output............................................1-167 Table 1-11 Description of the display snmp-agent statistics command output.............................................1-168 Table 2-1 Description of the display interface command output........................................................................2-4 Table 2-2 Description of the display ip interface GigabitEthernet 0/0/0 command output.............................2-7 Table 2-3 Description of the debugging ethernet packet command output.....................................................2-18 Table 2-4 Description of the display interface command output......................................................................2-20 Table 2-5 Description of the display interface tunnel command output .........................................................2-29 Table 2-6 Description of the display interface Virtual-Template command output ......................................2-31 Table 2-7 Description of the display interface vlanif command output...........................................................2-40 Table 2-8 Description of the display ip interface GigabitEthernet 0/0/0 command output...........................2-49 Table 2-9 Description of the display arp command output...............................................................................2-60 Table 2-10 Description of the display dhcp server conflict command output.................................................2-88 Table 2-11 Description of the display dhcp server expired command output.................................................2-89 Table 2-12 Description of the display dhcp server free-ip command output..................................................2-90 Table 2-13 Description of the display dhcp server ip-in-use command output...............................................2-91 Table 2-14 Description of the display dhcp server statistics command output...............................................2-92 Table 2-15 Description of the display dhcp server tree command output.......................................................2-95 Table 2-16 Description of the display fib command output............................................................................2-115 Table 2-17 Description of the display fib | command output..........................................................................2-117 Table 2-18 Description of the display fib acl command output......................................................................2-118 Table 2-19 Description of the display fib ip-prefix command output............................................................2-120 Table 2-20 Description of the display fib longer command output................................................................2-121 Table 2-21 Description of the display fib statistics command output............................................................2-123 Table 2-22 Description of the display icmp statistic command output..........................................................2-124 Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xxv
Tables
Quidway Eudemon 1000E Unified Security Gateway Command Reference Table 2-23 Description of the display ip socket command output..................................................................2-125 Table 2-24 Description of the display ip statistics command output..............................................................2-127 Table 2-25 Description of the display tcp statistics output............................................................................ 2-129 Table 2-26 Description of the display tcp status command output................................................................ 2-131 Table 2-27 Description of the display udp statistics command output.......................................................... 2-132 Table 2-28 Description of the display ip routing-table command output......................................................2-138 Table 2-29 Description of the display ip routing-table statistics command output......................................2-146 Table 2-30 Description of the display ip routing-table verbose command output........................................2-147 Table 2-31 Description of the display ip as-path-acl command output......................................................... 2-156 Table 2-32 Description of the display ip community-filter command output...............................................2-157 Table 2-33 Description of the display rip command output............................................................................2-179 Table 2-34 Description of the display debugging ospf command output.......................................................2-212 Table 2-35 Description of the display ospf abr-asbr command output..........................................................2-214 Table 2-36 Description of the display ospf asbr-summary command output............................................... 2-215 Table 2-37 Description of the display ospf cumulative command output......................................................2-218 Table 2-38 Commands included in the display ospf diagnostic-information command...............................2-219 Table 2-39 Description of the display bgp peer command output..................................................................2-282 Table 2-40 Description of the display bgp peer verbose command output....................................................2-282 Table 2-41 Description of the display bgp vpnv4 routing-table command output....................................... 2-285 Table 3-1 Description of the display ip vpn-instance verbose command output..............................................3-4 Table 3-2 Description of the display ip address-set all command output........................................................3-13 Table 3-3 Description of the display ip port-set all command output..............................................................3-15 Table 3-4 Description of the display time-range all command output.............................................................3-16 Table 3-5 Description of the debugging gtp all command output.................................................................. 3-124 Table 3-6 Description of the display firewall gtp mcc command output.......................................................3-125 Table 3-7 Description of the display firewall gtp statistics command output............................................... 3-129 Table 3-8 Description of the display firewall gtp tunnel command output...................................................3-131 Table 3-9 Description of the display l2tp session command output...............................................................3-233 Table 3-10 Description of the display l2tp tunnel command output..............................................................3-234 Table 3-11 Description of the display interface tunnel 0 command output...................................................3-250 Table 3-12 Description of the display ike peer command output...................................................................3-264 Table 3-13 Description of the display ike proposal command output............................................................3-265 Table 3-14 Description of the display ike sa command output.......................................................................3-266 Table 3-15 Description of the display ipsec policy brief command output....................................................3-268 Table 3-16 Description of the display ipsec policy command output.............................................................3-269 Table 3-17 Description of the display ipsec policy-template brief command output....................................3-270 Table 3-18 Description of the display ipsec proposal command output........................................................ 3-271 Table 3-19 Description of the display ipsec sa brief command output.......................................................... 3-273 Table 3-20 Description of the display ipsec sa command output....................................................................3-274 Table 3-21 Description of the display ipsec statistics command output.........................................................3-276 Table 3-22 Description of the display p2p-car class command output.......................................................... 3-326 Table 3-23 Description of the display p2p-car statistic classcommand output.............................................3-329
xxvi
Issue 03 (2009-06-18)
Tables
Table 3-24 Description of the display p2p-car statistic protocol command output......................................3-330 Table 3-25 Description of the debugging right-manager command output..................................................3-344 Table 3-26 Description of the display right-manager online-users command output..................................3-347 Table 3-27 Description of the display right-manager role-info command output........................................3-349 Table 3-28 Description of the display right-manager server-group command output.................................3-350 Table 3-29 Description of the display right-manager statistics command output........................................3-352
Issue 03 (2009-06-18)
xxvii
Related Versions
The following table lists the product versions related to this document. Product Name Quidway Eudemon 1000E Version V100R002
Intended Audience
This document is intended for:
l l l
Organization
This document is organized as follows.
Issue 03 (2009-06-18)
Description This chapter describes the commands used for the configuration of security features, Eudemon management, working modes, file system, software upgrade, debugging tool display, information center, log maintenance, NTP, and SNMP. This chapter describes the commands used for the configuration of the network interface, logical interfaces, link layer protocols such as PPP and VLAN, IP address, IP performance, address resolution, DHCP, static route, RIP route, OSPF route, BGP route, and policy route. This chapter describes the commands used in the virtual Unified Security Gateway, ACL base, packet filter, attack defence, security policy, ASPF, blacklist, NAT, GTP, IDS cooperation, AAA, RADIUS server, P2P traffic limiting, L2TP, IPSec and GRE. This chapter describes the commands used for the configuration of router backup and two-node cluster hot backup.
2 Internetworking
3 Security Defense
4 Reliability
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
Issue 03 (2009-06-18)
General Conventions
The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.
[ x | y | ... ]*
GUI Conventions
The GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Issue 03 (2009-06-18)
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows. Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Issue 03 (2009-06-18)
1 System Management
1
About This Chapter
1.1 Basic Configuration Commands 1.3 Work Mode Configuration Commands 1.4 File System Commands 1.5 System Configuration Commands 1.6 Web Management Commands 1.7 NTP Configuration Commands 1.8 SNMP Configuration Commands
System Management
Issue 03 (2009-06-18)
1-1
1 System Management
1.1.1 clock
Function
Using the clock command, you can set the current date and clock, name of daylight saving time, start and end time, and local time zone of the Eudemon. Using the undo clock command, you can restore the default setting.
Format
clock datetime time date clock summer-time time-zone-name { one-off | repeating } start-time start-date end-time enddate offset clock summer-time time-zone-name repeating start-time { start-year month { first | second | third | fourth | fifth | last } weekday | start-date } end-time { end-year month { first | second | third | fourth | fifth | last } weekday | end-date } offset clock timezone zone-name { add | minus } offset undo clock { summer-time | timezone }
1-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
time: specifies the current clock in the format of HH:MM:SS. HH ranges from 0 to 23, and MM and SS range from 0 to 59. date: specifies the current year, month and day in the format of YYYY/MM/DD. YYYY ranges from 2000 to 2099, MM ranges from 1 to 12, and DD ranges from 1 to 31. time-zone-name: specifies the name of daylight saving time (DST) with a character string of 1 to 32 characters. one-off: specifies the daylight saving time for a specific year. repeating: specifies the daylight saving time for each year since a specific year. start-time: specifies the beginning time of the daylight saving time in the format of HH:MM:SS. HH ranges from 0 to 23, and MM and SS range from 0 to 59. start-date: specifies the beginning date of the daylight saving time in the format of YYYY/MM/ DD. YYYY ranges from 2000 to 2099, MM ranges from 1 to 12, and DD ranges from 1 to 31. end-time: specifies the ending time of the daylight saving time in the format of HH:MM:SS. HH ranges from 0 to 23, and MM and SS range from 0 to 59. end-date: specifies the ending date of the daylight saving time in the format of YYYY/MM/DD. YYYY ranges from 2000 to 2099, MM ranges from 1 to 12, and DD ranges from 1 to 31. offset: specifies the time offset of the daylight saving time compared with UTC time. The value is in the format of HH:MM:SS. HH ranges from 0 to 23, and MM and SS range from 0 to 59. start-year: specifies the beginning year of the daylight. It is an integer that ranges from 2000 to 2099. month: specifies the month. The value range is January, February, March, April, May, June, July, August, September, October, November and December. weekday: specifies the weekday. The value range is Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday. end-year: specifies the ending year of the daylight. It is an integer that ranges from 2000 to 2099. add: refers to the added time compared with UTC time. minus: refers to the minus time compared with UTC time.
Views
User view
Default Level
3: Management level
Usage Guidelines
In the application environment where absolute time is strictly required, the current date and clock of the Eudemon must be set. The input time parameter may not include second.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3
1 System Management
You can use the display clock command to view the setting after it is valid. In addition, the message time such as log time and debug time adopts the local time adjusted by the time zone and daylight saving time.
Examples
# Set the current date of the Eudemon to 0:0:0 01/01/2001.
<Eudemon> clock datetime 0:0:0 2001/01/01
1.1.2 command-privilege
Function
Using the command-privilege command, you can set the command level of the specified view. Using the undo command-privilege command, you can cancel the setting.
Format
command-privilege level level view view command undo command-privilege view view command
Parameters
level level: specifies the precedence of a command. It is an integer that ranges from 0 to 3. view view: specifies the view name. Table 1-1 lists the views provided by the command line in three categories. Table 1-1 Views provided by the command line Classification System maintenance views View User view, system view, user interface view, FTP client view, RSA public key view, and RSA public key edition view Basic interface view, RIP view, and route policy view RADIUS template view, ISP domain view, ACL view, region view, inter-domain view, IPSec proposal view, IPSec security policy view, IPSec security policy template view, and IKE proposal view
Views
System view
1-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Default Level
3: Management level
Usage Guidelines
The commands are divided into four levels, that is, visit, monitoring, configuration, and management, identified as 0 to 3 respectively.An administrator can authorize the users as required to enable them to operate in the corresponding view. A login user can operate the commands according to the authorizations corresponding to the user name or user interface. If these two privileges conflict with each other, the one corresponding to the user name is adopted. By default, the ping, tracert, and telnet commands are of the visit level (0). The display and debugging command are the monitoring level (1). Most configuration commands are of the configuration level (2). The command to configure the user key, FTP commands, XModem commands, TFTP commands, and file system operation commands are of the management level (3).
Examples
# Set the privilege of the interface command to 0.
<Eudemon> system-view [Eudemon] command-privilege level 0 view system interface
Format
display clock
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Using this command, you can adjust whether there is any mistake in the system time and modify the time in time.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-5
1 System Management
Examples
# View the current date and time of the system.
<Eudemon> display clock 15:50:45 UTC Mon 2003/02/12
Format
display history-command
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The terminal automatically saves the history commands entered by the user, that is, records any keyboard entry of the user with Enter as the unit. In this case, the users can view the saved history commands by the display history-command command.
Examples
# Display history commands.
<Eudemon> display history-command display interface display interface Ethernet 1/0/0 interface Ethernet 1/0/0
Format
display hotkey
1-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Using the display hotkey command, you can view the following three types of hotkeys:
l l l
User-defined hotkeys User-definable undefined hotkeys that are displayed as "NULL" System hotkeys
Examples
# Display the Eudemon system hotkeys.
<Eudemon> display hotkey ----------------- HOTKEY ----------------Hotkeys CTRL_G CTRL_L CTRL_O Hotkeys CTRL_T CTRL_U Hotkeys CTRL_A CTRL_B CTRL_C CTRL_D CTRL_E CTRL_F CTRL_H CTRL_K CTRL_N CTRL_P CTRL_R CTRL_V CTRL_W CTRL_X CTRL_Y CTRL_Z CTRL_] ESC_B ESC_D ESC_F ESC_N ESC_P =Defined hotkeys= Command display current-configuration display ip routing-table undo debug all =Undefined hotkeys= Command NULL NULL =System hotkeys= Function Move the cursor to the beginning of the current line. Move the cursor one character left. Stop current command function. Erase current character. Move the cursor to the end of the current line. Move the cursor one character right. Erase the character left of the cursor. Kill outgoing connection. Display the next command from the history buffer. Display the previous command from the history buffer. Redisplay the current line. Paste text from the clipboard. Delete the word left of the cursor. Delete all characters up to the cursor. Delete all characters after the cursor. Return to the user view. Kill incoming connection or redirect connection. Move the cursor one word back. Delete remainder of word. Move the cursor forward one word. Move the cursor down a line. Move the cursor up a line.
Issue 03 (2009-06-18)
1-7
1 System Management
ESC_< ESC_>
Format
display version
Parameters
None
Views
All views
Default Level
2: Configuration level
Usage Guidelines
By viewing the version information, you can get the information about the current software version, frame type, the active control board and the interface board.
Examples
<Eudemon> display version
1.1.7 header
Function
Using the header command, you can enable displaying the title. Using the undo header command, you can disable displaying the title.
Format
header { shell | login } { file file-name | information information-text } undo header { shell | login }
Parameters
login: indicates the login messages. shell: indicates the user session title.
1-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
file: specifies the contents of the file with the indicated file name. file-name: specifies the file name used by the title, the length of which is 5 to 56 characters. information: indicates the title information. information-text: specifies the contents of the title. The value is in the range of 1 to 220 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
When a user logs in to the Eudemon through the terminal line, the Eudemon prompts the related messages to the user by setting title attribute. After the terminal connection is activated, the login title is transmitted to the terminal. If the user successfully logs in, the shell title is displayed. The first English character is used as the initial and end character of the text. After the user enters the end character, the system automatically exits from the interactive process. To exit from the interactive process, as long as the initial and the end of the text are the same English character, just press Enter.
Examples
# Configure the user session title.
<Eudemon> system-view [Eudemon] header shell information % Input banner text, and quit with the character '%'. SHELL : Hello! Welcome to use Eudemon firewall% [Eudemon] quit <Eudemon>
1.1.8 hotkey
Function
Using the hotkey command, you can configure the user-defined hotkey. Using the undo hotkey command, you can remove the user-defined hotkey, or restore the default self-defined hotkey.
Format
hotkey hotkey command undo hotkey hotkey
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-9
1 System Management
Parameters
hotkey: specifies a hotkey with a string of characters. You can define five hotkeys, including <CTRL_G>, <CTRL_L>, <CTRL_O>, <CTRL_T> and <CTRL_U>. command: specifies the command to be executed by the hotkey.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the default values of hotkeys <CTRL_G>, <CTRL_L> and <CTRL_O> are as follows:
l
<CTRL_G> is equal to display current-configuration (used to display current configuration) <CTRL_L> is equal to display ip routing-table (used to display routing table information) <CTRL_O> is equal to undo debugging all (used to disable the overall debugging function that is disable the output of all debugging information)
l l
Examples
# Make the self-defined hotkey <CTRL_T> to execute the command display tcp status.
<Eudemon> system-view [Eudemon] hotkey ctrl_t display tcp status
1.1.9 language-mode
Function
Using the language-mode command, you can change the language mode of the command line interface.
Format
language-mode { chinese | english }
Parameters
chinese: changes the language mode of the system to Chinese. english: changes the language mode of the system to English.
Views
User view
1-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Default Level
0: Visit level
Usage Guidelines
By default, the language mode of the system is English. After the system switches to Chinese mode, the prompts and echo messages of the command line on the system interface are displayed in Chinese.
Examples
# Change the English mode to the Chinese mode.
<Eudemon> language-mode chinese Change language mode, confirm? [Y/N] y
1.1.10 lock
Function
Using the lock command, you can lock the current user interface so as to prevent the unauthorized users from operating on the terminal interface.
Format
lock
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
User interface includes console interface, VTY virtual terminal, and so on. When the user enters the lock command, the system prompts to input a password for the screen saver twice and if the passwords input twice are the same, the current user interface is locked successfully. After that, if you want to enter the system, you should press Enter first and input the password when being prompted to. When you enter the password configured just now, you can unlock the user interface and enter the system.
Examples
# A user logs in from the Console port and locks the current user interface.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-11
1 System Management
<Eudemon> lock Password:xxxx Again:xxxx
Format
quit
Parameters
None
Views
All views
Default Level
0: Visit level
Usage Guidelines
All the command modes are divided into three levels, which are as follows from the lowest to the highest:
l l l
User view (user level is 0). System view (user level is 2). Routing protocol view, interface view, VPDN group view, etc.
Examples
# Return to the system view from the GigabitEthernet0/0/0 view and then to the user view.
[Eudemon-GigabitEthernet0/0/0] quit [Eudemon] quit <Eudemon>
1.1.12 return
Function
Using the return command, you can return to user view from any view other than user view and public key view.
1-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Format
return
Parameters
None
Views
All views
Default Level
2: Configuration level
Usage Guidelines
The shortcut key for the return command is Ctrl+Z.
Examples
# Return to the user view from the system view.
[Eudemon] return <Eudemon>
1.1.13 super
Function
Using the super command, you can enter user-level from the current level.
Format
super [ user-level ]
Parameters
user-level: specifies the user level. It is an integer that ranges from 0 to 3.
Views
User view
Default Level
0: Visit level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-13
1 System Management
Usage Guidelines
User level indicates the type of the login user. There are 4 user levels. Different from the use of command level, a login user can only use the commands with the levels no higher than the user level. Commands are classified into four levels:
l
Visit level: Refers to network diagnosis tool commands (such as ping and tracert), and external commands (including Telnet client, SSH client and RLOGIN). Saving configuration file is not allowed on this level of commands. Monitoring level: Refers to commands of this level, including the display command and the debugging command, which are used for system maintenance, service fault diagnosis. Saving the configuration file is not allowed on this level of commands. Configuration level: Refers to service configuration commands, including routing command and commands on each network layer, which are used to provide direct network service to the user. Management level: Refers to commands that affect the basic operation of the system and system support module, which plays a supporting role on service. Commands of this level involve file system commands, FTP commands, TFTP commands, XModem downloading commands, configuration file switching commands, power supply control commands, standby control commands, user management commands, and level setting commands, and internal parameter setting commands (not stipulated by protocols and by RFC).
When you switch to a higher level, user authentication is required to prevent illegal access. That is, enter the password of the higher level user (if super password [ level user-level] { simple | cipher } line is already set). For the sake of confidentiality the password entered by the user is not displayed on the screen. The user can switch to the higher level only when correct password is input within three times. Otherwise, the original user level will remain unchanged.
Examples
# Change the current user level to level 3.
<Eudemon> super 3 Password: Now user privilege is 3 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
Format
super password [ level user-level ] { simple | cipher } password undo super password [ level user-level ]
1-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
level user-level: specifies the user level. It is an integer that ranges from 0 to 3. simple: indicates the password in the plain text. cipher: indicates the password in the encrypted text. password: If the authentication is in the simple mode, the password must be in plain text, ranging from 8 to 16 characters. If the authentication is in the cipher mode, the password can be either in the encrypted text with 24 characters such as (TT8F ] Y\5SQ=^Q`MAF4<1!! or in the plain text with 8 to 16 characters such as Admin@123.
Views
System view
Default Level
3: Management level
Usage Guidelines
By default, the password is entered in plain text. Input the password in plain text during the authentication no matter the configuration is plain text or encrypted text.
Examples
# Set the password for switching over a user to higher level is Admin@123.
<Eudemon> system-view [Eudemon] super password level 3 simple Admin@123 [Eudemon]quit <Eudemon> super 3 Password: Now user privilege is 3 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
1.1.15 sysname
Function
Using the sysname command, you can set the name of the Eudemon.
Format
sysname sysname
Parameters
sysname: specifies the Eudemon name in a character string with 1 to 30 characters.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-15
1 System Management
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the Eudemon name is Eudemon. Changing the name of Eudemon will affect the prompt of command line interface. For example, if the name of Eudemon is "EudemonA", the prompt of system view will be [ EudemonA ].
Examples
# Set the name of the Eudemon as proname.
<Eudemon> system-view [Eudemon] sysname proname [proname]
1.1.16 system-view
Function
Using the system-view command, you can enter the system view from the user view.
Format
system-view
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enter system view.
1-16 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
1 System Management
1.2.30 set authentication password 1.2.31 shell 1.2.32 speed 1.2.33 ssh server authentication-retries 1.2.34 ssh server rekey-interval 1.2.35 ssh server timeout 1.2.36 ssh user assign rsa-key 1.2.37 ssh user authentication-type 1.2.38 stopbits 1.2.39 telnet 1.2.40 user privilege 1.2.41 user-interface 1.2.42 user-interface maximum-vty
1.2.1 acl
Function
Using the acl command, you can restrict inbound and outbound authorities for VTY user interfaces (Telnet and SSH) through referencing ACL. Using the undo acl command, you can cancel the current settings.
Format
acl acl-number { inbound | outbound } undo acl { inbound | outbound }
Parameters
acl-number: specifies the number of an access control list (ACL). It is an integer that ranges from 2000 to 3999. inbound: restricts the incoming calls on the user interface. outbound: restricts the outgoing calls on the user interface.
Views
User interface view
Default Level
2: Configuration level
1-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
By default, the incoming and outgoing calls are not restricted. acl-number is a basic access control list.
Examples
# Cancel the outbound restriction for the console interface.
<Eudemon> system-view [Eudemon] user-interface console 0 [Eudemon-ui-console0] undo acl outbound
1.2.2 authentication-mode
Function
Using the authentication-mode command, you can set the authentication mode for logging in to the user interface. Using the undo authentication-mode command, you can restore the default authentication mode.
Format
authentication-mode { aaa | none | password | local user username password { cipher | simple } password } undo authentication-mode
Parameters
aaa: sets the authentication mode as AAA. none: sets the authentication as none-authentication. password: performs local password authentication. local: sets the authentication mode for the local user name and password. user username: specifies the local username. It is a string of 1 to 16 characters. password: specifies the local password. cipher password: specifies the password in plain text or cipher text. A plain text password is a character string of 8 to 16 characters in bytes. A cipher text password is a character string of 24 characters. simple password: specifies the password in plain text. The value is a character string of 8 to 16 characters.
Views
User interface view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-19
1 System Management
Default Level
3: Management level
Usage Guidelines
By default, the authentication method for the user interface of VTY type is password, and the logging in to other user interfaces needs no authentication.
Examples
# Enable local password authentication.
<Eudemon> system-view [Eudemon] user-interface console 0 [Eudemon-ui-console0] authentication-mode password
Format
auto-execute command command undo auto-execute command
Parameters
command: specifies the command automatically executed.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
By default, the command cannot be automatically executed. Commands configured through auto-execute command are automatically executed when the user logs on. The user interface disconnects automatically after the completion of this command. Usually, the telnet command configured through auto-execute command at the terminal user interface enables the user to be connected with the designated host automatically.
1-20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Be careful to use this command, for it results in the terminal, fails to perform routine configuration with the system.
NOTE
Make sure that you can log in to the system by other means to remove the configuration before configuring auto-execute command command and saving the configuration.
Examples
# The telnet 10.110.100.1 command is run automatically after the user logs on from the VTY 0 port.
<Eudemon> system-view [Eudemon] user-interface vty 0 [Eudemon-ui-vty0] auto-execute command telnet 10.110.100.1
1.2.4 databits
Function
Using the databits command, you can set user interface data bit. Using the undo databits command, you can restore the default data bit.
Format
databits { 5 | 6 | 7 | 8 } undo databits
Parameters
5: indicates that data bit is 5 bits. 6: indicates that data bit is 6 bits. 7: indicates that data bit is 7 bits. 8: indicates that data bit is 8 bits.
Views
User interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the data bit is 8 bits. The configuration is effective only when the serial interface works in the asynchronous interactive mode.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-21
1 System Management
Examples
# Set the data bit to 7 bits.
<Eudemon> system-view [Eudemon] user-interface vty 0 [Eudemon-ui-vty0] databits 7
Format
debugging rsa undo debugging rsa
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the debugging is disabled. For all the debugging commands, only the terminal debugging is enabled will the debugging information be printed.
Examples
# Enable RSA debugging.
<Eudemon> debugging rsa
1 System Management
Function
Using the debugging ssh server command, you can send the debugging information containing the negotiation process stipulated by SSH1.5 protocol to the information center, and debug a certain user interface. Using the undo debugging ssh server command, you can disable the debugging.
Format
debugging ssh server { vty vty-number | all } undo debugging ssh server { vty vty-number | all }
Parameters
vty-number: specifies the debugged SSH channel whose value depends on the number of VTY. By default, It is an integer that ranges from 0 to 4. all: refers to all SSH channels.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the debugging is disabled.
Examples
# Print debugging information in running SSH.
<Eudemon> 00:23:20: 00:23:20: 00:23:20: 00:23:20: 00:23:21: 00:23:21: 00:23:21: 00:23:21: 00:23:21: debugging ssh server vty 0 SSH0: starting SSH control process SSH0: sent protocol version id SSH-1.5-Eudemon-1.25 SSH0: protocol version id is - SSH-1.5-1.2.26 SSH0: SSH_SMSG_PUBLIC_KEY msg SSH0: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03 SSH: RSA decrypt started SSH: RSA decrypt finished SSH: RSA decrypt started SSH: RSA decrypt finished
1 System Management
Format
debugging telnet undo debugging telnet
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the debugging is disabled.
Examples
# Enable telnet debugging.
<Eudemon> debugging telnet
Format
display rsa local-key-pair public
Parameters
None
Views
All views
Default Level
1: Monitoring level
1-24 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
None
Examples
# Display the public key in the local key pair.
<Eudemon> display rsa local-key-pair public ===================================================== Time of Key pair created: 1:14:14 2007/4/5 Key name: Eudemon_Host Key type: RSA encryption Key ===================================================== Key code: 308188 028180 C1A92FF4 310DE61B 6805D38F 422DB443 642B7610 4B028AAD 747F51C6 2F0226DC A9194D89 24420530 66CAE8B0 18AC668F 83A04A52 7C2015E0 F4E3B715 9957B51B 83E80F18 918E5244 8C0C60A1 89DCA28B 69253E82 394B8969 207C6658 912E8416 2E76070E 8A4B8FC4 B9975515 BCF862E0 60B9A9A6 259E8C03 71A7FFAE A1F01213 0203 010001 ===================================================== Time of Key pair created: 1:14:21 2007/4/5 Key name: Eudemon_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 ECFBD339 D48F670C 4137F9EC C7846C5E 4091E037 F2B895D6 1B561EB1 65713870 5117F69B 302B236C 965D05C3 9F74BABA AFB91845 80C2E576 7D92B807 C40AC45A 5E6AC053 D82CAEB1 986B0AB0 7BED8BA4 E31C1135 9868563B 399EFD9F C344270D 0203 010001
Format
display rsa peer-public-key [ brief | name keyname ]
Parameters
brief: displays the brief information about all the remote public keys. keyname: specifies the key name to be displayed, and its value is a consecutive character string from 1 to 30.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-25
1 System Management
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If no public key is specified, all public keys are displayed.
Examples
# Display the detailed information about all the RSA public keys.
<Eudemon> display rsa peer-public-key Address Bits Name 1023 abcd 1024 hq 1024 wn1 1024 hq_all
Format
display ssh server { status | session }
Parameters
status: display SSH status information. session: display SSH session information.
Views
All views
Default Level
1: Monitoring level
1-26 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
None
Examples
# Display SSH status and configuration parameters.
<Eudemon> display ssh server status SSH version : 1.5 SSH connection timeout : 60 seconds SSH server key generating interval : 1 hours SSH Authentication retries : 3 times
Format
display ssh user-information [ user-name ]
Parameters
user-name: specifies a valid SSH user name defined by AAA. It is a string of 1 to 64 characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If the parameter user-name is specified, the system will display the specified user information.
Examples
# Display user information.
<Eudemon> display ssh user-information Username authentication-type Jin rsa hanqi1 password 1024 rsa user-public-key-name jin 816pub file3
Issue 03 (2009-06-18)
1-27
1 System Management
4000 hanqi_rsa hanqi_all all rsa all
Format
display tcp { statistics | status }
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Compared with the display users command, the display tcp status command can be used to display more information about Telnet client and server. The display information of the display tcp status command includes:
l l l l l
Local address of TCP connection Local port number External address External port number Connection state
Statistics of received data Statistics of sent data Timeout times of the retransmission timer and the keepalive timer Times for initiating connections The number of disconnected connections The number of dropped packets during MD5 authentication The number of passed packets during MD5 authentication
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1-28
1 System Management
Examples
# Display all TCP connections with the Eudemon.
<Eudemon> TCPCB 5681a0e4 56819ea4 57034404 57033b04 57076084 57159d04 5714a244 display tcp status Local Add:port 0.0.0.0:22 0.0.0.0:23 0.0.0.0:80 1.1.1.1:23 1.1.1.1:23 1.1.1.1:23 129.102.100.142:23 Foreign Add:port 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 1.1.1.2:3170 1.1.1.2:3340 1.1.1.2:4094 129.102.001.92:4288 State Listening Listening Listening Established Established Established Established
The above information indicates that: one TCP connection has been set up, and its local IP address is 129.102.100.142; local port number is 23; remote IP address is 129.102.001.92. In addition, a server at local end is monitoring port 23.
Format
display user-interface [ user-interface-type user-interface-number ] [ number ] [ summary ] display user-interface maximum-vty
Parameters
user-interface-type: specifies the type of the user interface. user-interface-number: specifies the relative user interface ID. summary: indicates the user interface briefly. number: specifies the absolute user interface ID. The value is an integer that ranges from 0 to 15.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-29
1 System Management
Examples
# Display the details on the user interface with the absolute ID as 0.
<Eudemon> display user-interface 0 Idx Type Tx/Rx Modem Privi Auth 0 CON 0 9600 3 + : F : Idx : Type : Privi: Auth : Int : A: L: N: P: Int -
Current user-interface is active. Current user-interface is active and work in async mode. Absolute index of user-interface. Type and relative index of user-interface. The privilege of user-interface. The authentication mode of user-interface. The physical location of UIs. Authenticate use AAA. Authenticate use local database. Current user-interface need not authentication. Authenticate use current UI's password.
Format
display users [ all ]
Parameters
all: display the information of all users in user interface.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Use the display users command on the Console.
<Eudemon> User-Intf 146 VTY 147 VTY + 148 VTY 149 VTY display users Delay Type 0 00:03:35 TEL 1 05:39:51 TEL 2 00:00:00 TEL 3 01:18:39 TEL Ipaddress 1.1.1.2 1.1.1.2 1.1.1.2 1.1.1.2 Username zhangsan
Table 1-2 shows the description of the display users command output.
1-30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Table 1-2 Description of the display users command output Item + User-Intf Description Terminal line in use. Number in the first column indicates the absolute number of user interface and that in the second column indicates the relative number of user interface. Interval from the last input by the user till now, in seconds. Connection type. IP address of the starting host in connection. Indicates login user name. As the AAA authentication is currently unavailable, this item is null.
1.2.15 flow-control
Function
Using the flow-control command, you can configure the traffic control mode. Using the undo flow-control command, you can restore the default traffic control mode.
Format
flow-control { none | software | hardware } undo flow-control
Parameters
none: indicates non-traffic control. software: indicates the software traffic control. hardware: indicates the hardware traffic control, only effective to the AUX port.
Views
User interface view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-31
1 System Management
Usage Guidelines
By default, none mode is used, that is , disable traffic control. The configuration is effective only when the corresponding serial interface works in the asynchronous interactive mode. During the EXEC output, press Ctrl+S to stop the screen output, and press Ctrl+Q to resume the screen output.
Examples
# Set software traffic control in the user interface view.
<Eudemon> system-view [Eudemon] user-interface console 0 [Eudemon-ui-console0] flow-control software
Format
free user-interface [ user-interface-type ] user-interface-number
Parameters
user-interface-type: specifies the type of the user interface. user-interface-number: specifies the absolute/relative number of a user interface.
Views
User view
Default Level
3: Management level
Usage Guidelines
user-interface-number: clearing a user interface with the user-interface-number. user-interface-type user-interface-number: clearing a user interface with the user-interfacenumber of the specified interface type.
Examples
# Clear user interface 0.
<Eudemon> free user-interface 0
1-32
Issue 03 (2009-06-18)
1 System Management
Format
history-command max-size max-size undo history-command max-size
Parameters
max-size: specifies the size of the history buffer. It is an integer that ranges from0 to 256.
Views
User interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the max-size is 10, that is, 10 history commands can be stored.
Examples
# Set the size of the history command buffer to 20.
<Eudemon> system-view [Eudemon] user-interface console 0 [Eudemon-ui-console0] history-command max-size 20
1.2.18 idle-timeout
Function
Using the idle-timeout command, you can configure the timeout disconnection function. Using the undo idle-timeout command, you can restore its default value.
Format
idle-timeout minutes [ seconds ] undo idle-timeout
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-33
1 System Management
Parameters
minutes: specifies the minute. The value is an integer ranging from 0 to 35791 minutes. seconds: specifies the second. The value is an integer ranging from 0 to 59 seconds.
Views
User interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the timeout period is 10 minutes. Setting idle-timeout 0 0 is to disable the timeout disconnection function.
Examples
# Set the timeout time to 1 minute 30 seconds.
<Eudemon> system-view [Eudemon] user-interface console 0 [Eudemon-ui-console0] idle-timeout 1 30
1.2.19 lock
Function
Using the lock authentication-count command, you can lock the user interface after user login failure exceeds certain times. Using the undo lock authentication-count command, you can restore its default value.
Format
lock { authentication-count count | lock-timeout timeout } undo lock { authentication-count | lock-timeout }
Parameters
authentication-count: specifies the limit of user authentications. count: specifies the number of authentications. The value is an integer ranging from 1 to 12, and the default is 3. lock-timeout: specifies the lock time after user authentication configuration fails. timeout: specifies lock time in minute. The value is an integer from 1 to 1500, and the default is 10.
1-34 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
User interface view
Default Level
3: Management level
Usage Guidelines
By default, the authentication times is 3. When a user fails to login Eudemon for three times, the system locks the user interface for 10 minutes.
Examples
# Set the times of all user login authentication on the serial port console 0 to 5, and the lock time to 20 minutes.
<Eudemon> system-view [Eudemon] user-interface console 0 [Eudemon-ui-console0] lock authentication-count 5 [Eudemon-ui-console0] lock lock-timeout 20
1.2.20 parity
Function
Using the parity command, you can set the check bit of the user interface. Using the undo parity command, you can restore the check mode of the user interface to none.
Format
parity { none | even | odd | mark | space } undo parity
Parameters
none: sets the transmission check bit to no check. even: sets the transmission check bit to even parity. odd: sets the transmission check bit to odd parity. mark: sets the transmission check bit to mark check. space: sets the transmission check bit to space check.
Views
User interface view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-35
1 System Management
Usage Guidelines
By default, no check is performed. The configuration is effective only when the serial interface works in the asynchronous interactive view.
Examples
# Set the transmission check bit on the Console port to odd parity.
<Eudemon> system-view [Eudemon] user-interface console 0 [Eudemon-ui-console0] parity odd
Format
peer-public-key end
Parameters
None
Views
Public key view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Return to the system view from the public key view and save the configuration.
<Eudemon> system-view [Eudemon] rsa peer-public-key Eudemon003 [Eudemon-rsa-public-key] peer-public-key end [Eudemon]
1 System Management
Function
Using the protocol inbound command, you can specify the protocols supported by the current user interface.
Format
protocol inbound { all | ssh | telnet }
Parameters
all: supports all the protocols, including Telnet, SSH. ssh: supports only SSH. telnet: supports only Telnet.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
By default, the system supports all protocols, namely, Telnet and SSH. When you use this command to specify the SSH protocol for the user interface, if SSH is enabled but the local RSA key is not configured, the SSH is unavailable. The configuration of creating a directory takes effect when you log in the next time. If you use this command to set the SSH protocol for a certain user interface, before logging in successfully, you need to set the authentication mode to authentication-mode local or authentication-mode scheme default. If the authentication modes are authentication-mode password or authentication-mode none, the protocol inbound ssh fails to be configured.
Examples
# Disable Telnet function of VTY0 to VTY4, and only support SSH function.
<Eudemon> system-view [Eudemon] user-interface vty 0 4 [Eudemon-ui-vty0-4] protocol inbound ssh
1 System Management
Format
public-key-code begin
Parameters
None
Views
Public key view
Default Level
2: Configuration level
Usage Guidelines
Before using this command, you must use the rsa peer-public-key command to specify one key name. After inputting the public-key-code begin command, you can enter the public key edit view, and then input the key characters. Spaces can exist between characters. You can press Enter to continue inputting the key character. The public key configured must be a hex character string coded according to the public key format. It is randomly generated by the client software supporting SSH.
Examples
# Enter the public key edit view and input the key.
<Eudemon> system-view [Eudemon] rsa peer-public-key Eudemon003 [Eudemon-rsa-public-key] public-key-code begin [Eudemon-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [Eudemon-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [Eudemon-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [Eudemon-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Eudemon-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Eudemon-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Eudemon-rsa-key-code] public-key-code end [Eudemon-rsa-public-key] peer-public-key end [Eudemon]
Format
public-key-code end
1-38 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
None
Views
Public key edition view
Default Level
2: Configuration level
Usage Guidelines
After this command is run, the process of editing public key ends. Before saving the public key, the system checks the validity of the key. If there are illegal characters in the public key character string configured by the user, the system displays relevant prompt. The public key configured by the user is discarded, so this configuration fails. If the public key configured is valid, it is saved in public key chain table of the client.
Examples
# Quit the public key editing view and save the configuration.
<Eudemon> system-view [Eudemon] rsa peer-public-key Eudemon003 [Eudemon-rsa-public-key] public-key-code begin [Eudemon-rsa-key-code] public-key-code end [Eudemon-rsa-public-key] peer-public-key end [Eudemon]
Format
rsa local-key-pair create
Parameters
None
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-39
1 System Management
Usage Guidelines
If the RSA key has existed, the system will give an alarm to prompt the original key overwritten. The generated key pair is named hostkey and serverkey. When the save command is run, the configuration is not saved in the configuration file. After the command is entered, the system will prompt you to type in the key modulus of the host. There are at least 128 bits of difference between the bits of server key pair and the bits of host key pair. Minimum length of server key and host key is 512 bits, and maximum length is 2048 bits. If the keys have existed, you need to confirm whether to modify them. To implement SSH login, you need to configure and create the local RSA key pair. Before configuring other SSHs, you must create the local key pair using the rsa local-key-pair create command. This command needs to be run only one time and needs not to be run again after the Eudemon restarts.
Examples
# Create local host key pair and server key pair.
<Eudemon> system-view [Eudemon] rsa local-key-pair create The key name will be: Eudemon_Host % RSA keys defined for Eudemon_Host already exist. Confirm to replace them? [yes/no]:y The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]:512 Generating keys... ............++++++++++++ ..++++++++++++ ...........................++++++++ .............++++++++ [Eudemon]
Format
rsa local-key-pair destroy
Parameters
None
Views
System view
1-40 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Default Level
2: Configuration level
Usage Guidelines
After entering this command, you need to confirm whether to remove all RSA keys. When the save command is run, the configuration is not saved in the configuration file.
Examples
# Remove all RSA keys of the server.
<Eudemon> system-view [Eudemon] rsa local-key-pair destroy % The name for the keys which will be destroyed is Eudemon_Host % Confirm to destroy these keys? [yes/no]:y [Eudemon]
Format
rsa peer-public-key key-name
Parameters
key-name: specifies the public key name. It is a string of 1 to 30 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After inputting the command, you can enter the public key view. This command can be used together with the public-key-code begin command to configure the public key of the client.
Examples
# Enter the public key view.
<Eudemon> system-view [Eudemon] rsa peer-public-key Eudemon002 [Eudemon-rsa-public-key]
Issue 03 (2009-06-18)
1-41
1 System Management
1.2.28 screen-length
Function
Using the screen-length command, you can set the number of rows on each screen of the terminal. Using the undo screen-length command, you can restore the default value.
Format
screen-length screen-length undo screen-length
Parameters
screen-length: specifies the number of rows displayed on the split screen. It is an integer ranging from 0 to 512.
Views
User interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the number of rows on one screen is 24. The screen-length 0 command is used to disable this function.
Examples
# Set the number of lines in each screen of the terminal to 30.
<Eudemon> system-view [Eudemon] user-interface console 0 [Eudemon-ui-console0] screen-length 30
1.2.29 send
Function
Using the send command, you can transfer message between user interfaces.
Format
send { number | all | user-interface-type user-interface-number }
1-42 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
number: specifies the absolute user interface ID. all: sends messages to all user interfaces. user-interface-type: specifies the relative user interface number. user-interface-number: specifies the relative number of the user interface.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
Using the send number command, you can send messages to the user interface with the number. Using the send user-interface-type user-interface-number command, you can send messages to the user interface with the user-interface-number of the specified type.
Examples
# Send a message to the user interface Console 0.
<Eudemon> send console 0 Enter message, end with CTRL+Z or Enter; abort with CTRL+C: Hello,good morning! Send message? [Y/N]
Format
set authentication password { simple | cipher } password undo set authentication password
Parameters
simple password: configures the password in plain text. The value is a character string of 8 to 16 characters in bytes.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-43
1 System Management
cipher password: configures the password in plain text or cipher text. A plain text password is a character string of 8 to 16 characters in bytes. A cipher text password is a character string of 24 characters in bytes.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
No matter the configuration of password is in the plain text or the cipher text, the user must input the plain text password during authentication You must specify the simple or cipher while configuring the command. If you use the simple method, the configuration file saves the password in plain text. If you use the cipher method, then the password is displayed in encrypted text whether you input the plain text password from 8 to 16 bytes or the 24 bytes encrypted password. By default, Telnet users must input the password during login. If no password is configured, the following is displayed: password required, but none set.
Examples
# Set the local authentication password for the user interface vty 0 to vty 4 as Admin@123.
<Eudemon> system-view [Eudemon] user-interface vty 0 4 [Eudemon-ui-vty0-4] authentication-mode password [Eudemon-ui-vty0-4] set authentication password simple Admin@123
1.2.31 shell
Function
Using the shell command, you can set the terminal services enabled on the user interface. Using the undo shell command, you can remove the current setting.
Format
shell undo shell
Parameters
None
Views
User interface view
1-44 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Default Level
3: Management level
Usage Guidelines
By default, the terminal services are enabled on all the user interfaces.
Examples
# Disable terminal services on the VTY 0 to VTY 4.
<Eudemon> system-view [Eudemon] user-interface vty 0 4 [Eudemon-ui-vty0-4] undo shell
# As for the Telnet users, the following is displayed after they log in.
% connection refused by remote host!
1.2.32 speed
Function
Using the speed command, you can set the transmission rate of a user interface. Using the undo speed command, you can restore the default transmission rate.
Format
speed speed-value undo speed
Parameters
speed-value: specifies the transfer rate. By default, the value is 9600 bit/s.
Views
User interface view
Default Level
2: Configuration level
Usage Guidelines
Only if the interface works in asynchronous mode, this configuration will take effect. The transmission rates supported by the asynchronous serial interface are:
l l
Issue 03 (2009-06-18)
1 System Management
l l l l l l l
1200 bit/s 4800 bit/s 9600 bit/s 19200 bit/s 38400 bit/s 57600 bit/s 115200 bit/s
Examples
# Set the transmission rate of the VTY 0 port to 19200 bit/s.
<Eudemon> system-view [Eudemon] user-interface vty 0 [Eudemon-ui-vty0] speed 19200
Format
ssh server authentication-retries times undo ssh server authentication-retries
Parameters
times: specifies the retry times to authenticate the SSH connection. It is an integer that ranges from 1 to 5. The default value is 3.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the retry times to 4.
1-46 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Format
ssh server rekey-interval hours undo ssh server rekey-interval
Parameters
hours: specifies the update period. It is an integer ranging from 1 to 24 hours.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the system does not update the key.
Examples
# Set the interval for updating the key pair of the SSH server to three hour.
<Eudemon> system-view [Eudemon] ssh server rekey-interval 3
Format
ssh server timeout seconds undo ssh server timeout
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-47
1 System Management
Parameters
seconds: specifies the duration of login timeout. The value is an integer ranging from 1 to 120 in seconds. The default value is 60 seconds.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the timeout period to 80 seconds.
<Eudemon> system-view [Eudemon] ssh server timeout 80
Format
ssh user user-name assign rsa-key key-name undo ssh user user-name assign rsa-key
Parameters
user-name: specifies the valid SSH user name defined by AAA. It is a string of 1 to 64 characters. key-name: specifies the configured public key name of the client. It is a string of 1 to 64 characters.
Views
System view
Default Level
2: Configuration level
1-48 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
When the system assigns a public key to a user, the system regards the public key assigned last as valid. AAA module is responsible for the creation and deletion of local user name. When creating an SSH user, AAA module first informs SSH, then SSH will add this user name to its user set. Likewise, when deleting a user, AAA module needs to inform SSH, then SSH will match this user from its user set. If matched, SSH will delete this user from its user set. The newly configured user public key takes effect during the next login.
Examples
# Assign "key1" to the user "zhangsan".
<Eudemon> system-view [Eudemon] ssh user zhangsan assign rsa-key key1
Format
ssh user user-name authentication-type { password | rsa | all } undo ssh user user-name authentication-type
Parameters
user-name: specifies the name of the SSH user. It is a string of 1 to 64 characters. password: indicates the password authentication. rsa: indicates the RSA authentication. all: indicates that either the password authentication or the RSA authentication can be adopted.
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-49
1 System Management
Usage Guidelines
By default, the authentication mode of the SSH user is not configured. That is, no authentication mode is supported. For new users, the authentication mode must be specified. Otherwise, they cannot log in. The newly configured authentication mode takes effect in the next login.
Examples
# Configure the password authentication mode for SSH users user1.
<Eudemon> system-view [Eudemon] ssh user user1 authentication-type password
1.2.38 stopbits
Function
Using the stopbits command, you can set the stop bit of a user interface. Using the undo stopbits command, you can restore the default stop bit.
Format
stopbits { 1.5 | 1 | 2 } undo stopbits
Parameters
1.5: indicates to set the stop bit to 1.5 bits. 1: indicates to set the stop bit to 1 bit. 2: indicates to set the stop bit to 2 bits.
Views
User interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the stop bit is 1 bit. Only if the interface works in asynchronous mode, this configuration will take effect.
Examples
# Set the stop bit of the console interface to 2.
1-50 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
1.2.39 telnet
Function
Using the telnet command, you can log in to another device from the current Eudemon through Telnet.
Format
telnet [ vpn-instance vpn-instance-name ] host-ip-address [ service-port ]
Parameters
host-ip-address: specifies the IP address or the host name of the remote device. For an IP address, it is in dotted decimal notation. For a host name, it is a string of 1 to 20 characters service-port: specifies the TCP port number to provide Telnet service on the remote device. It is an integer that ranges from 0 to 65535.
Views
User view
Default Level
0: Visit level
Usage Guidelines
By default, if service-port is not specified, the Telnet port number is 23. By using the telnet command, the user can conveniently log in to another Eudemon or router from the current Eudemon to manage the remote device.
Examples
# Log in to a router (IP address is 129.102.0.1) from the current Eudemon.
<Eudemon> telnet 129.102.0.1 Trying 129.102.0.1... Service port is 23 Connected to 129.102.0.1 <Eudemon>
1 System Management
Format
user privilege level level undo user privilege level
Parameters
level: specifies the command level. It is an integer that ranges from 0 to 3.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
By default, the command level corresponding to the Console port on the user interface is 3 and the command level corresponding to other user interfaces is 0. If the command level configured on the user interface is not in consistence with the actual level the user corresponds to, the latter is used as the valid level. For instance, the command level corresponding to user 001 is 3 but the command level configured on VTY 0 for the user 001 is 2. Then when the user logs in the system through VTY 0, it can use the commands of level 3 or below level 3.
Examples
# Configure the level of the user logging on through vty0 to 2.
<Eudemon> system-view [Eudemon] user-interface vty 0 [Eudemon-ui-vty0] user privilege level 2
1.2.41 user-interface
Function
Using the user-interface command, you can enter one user interface view or multiple user interface views.
Format
user-interface { number | interface-type first-number [ last-number ] }
Parameters
number: specifies the absolute user interface ID. The value is an integer that ranges from 0 to 5. interface-type: specifies the type of user interface. If using the relative number, you need to specify the type of the user interface. If using the absolute number, you do not need to specify the type of the user interface.
1-52 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
first-number: specifies the first user interface to be configured. last-number: specifies the last user interface to be configured. The last-number should be larger than the first-number.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enter the user interface console view to configure console 0.
<Eudemon> system-view [Eudemon] user-interface console 0 [Eudemon-ui-console0]
Format
user-interface maximum-vty number undo user-interface maximum-vty
Parameters
number: specifies the maximum number of Telnet and SSH users. It is an integer that ranges from 0 to 15. By default, the value is 5.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-53
1 System Management
Views
System view
Default Level
3: Management level
Usage Guidelines
By default, the maximum number of Telnet and SSH users is 5. You can set the maximum number as required. If the VTY node ID corresponding to all login users are all less than the configured user number, the system accepts the configuration. Otherwise, it reports that the configuration is invalid. If the maximum number of login users is zero, the system closes all current VTY channels. As a result, any Telnet user or SSH user cannot log in to the Eudemon.
Examples
# Set the maximum number of Telnet users to 7.
<Eudemon> system-view [Eudemon] user-interface maximum-vty 7
Format
display firewall mode
Parameters
None
1-54 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
All views
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Display the current mode of the Eudemon.
<Eudemon> display firewall mode firewall mode route firewall mode route if reboot
Format
display firewall transparent-mode address-table [ dynamic | interface interface-type interface-number | mac mac-address | static | vlan vlan-id [ mac mac-address ] ]
Parameters
dynamic: specifies a dynamic address. interface-type: specifies the interface type. interface-number: specifies the interface number. mac mac-address: specifies the MAC address in the format of H-H-H. H is a 4-bit hexadecimal number, such as 00e0 and fc01. If you input less than 4 bits, the default value 0 is padded. For example, when you enter e0, 00e0 is displayed. FFFF-FFFF-FFFF is invalid for MAC address. static: specifies a static address. vlan-id: specifies the ID of a VLAN. It is an integer that ranges from 1 to 4094.
Views
All views
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-55
1 System Management
Usage Guidelines
None
Examples
# Display the address forwarding table of the interface GigabitEthernet 0/0/0.
<Eudemon> display firewall transparent-mode address-table interface GigabitEthernet 0/0/0 Vlan-ID Mac-address Action Interface Type Aging-time TTL otal:0 Static:0 Dynamic:0
Table 1-3 shows the description of the display firewall transparent-mode address-table command output. Table 1-3 Description of the display firewall transparent-mode address-table command output Field Vlan-ID Mac-address Action Interface Type Aging-time TTL Description VLAN where the interface resides MAC address Deny or permit Name of the output interface Static or dynamic Time to live for the forwarding table item. Time to live of a packet
Format
firewall mode { composite | route | transparent }
Parameters
composite: specifies the composite mode. In this mode, some interfaces are configured with IP addresses, others are not configured with IP addresses. route: specifies the route mode in which the interface in use must be configured with IP address. transparent: specifies the transparent mode. In this mode, no interface can be configured with IP address.
1-56 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the Eudemon works in route mode. When the Eudemon works in route mode, its different interfaces must be configured with IP addresses of different network segment, and connected to different subnetworks. When the Eudemon works in transparent mode, its interfaces can not be configured with IP addresses, and the networks connected with all interfaces must be in the same subnetwork. When the Eudemon works in hybrid mode, some interfaces are configured with IP addresses and some interfaces are not configured with IP addresses. The Eudemon in hybrid mode is used for VRRP backup.
CAUTION
Before the work mode is switched, save the current configuration of the Eudemon. After the work mode is switched, restart the system.
Examples
# Set the Eudemon to work in transparent mode.
<Eudemon> system-view [Eudemon] firewall mode transparent
Format
firewall transparent-mode mac-aging-time seconds undo firewall transparent-mode mac-aging-time
Parameters
seconds: specifies the aging time of the dynamic address table. The value is an integer ranging from 60 to 65535 in seconds. The default value is 1200 seconds.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-57
1 System Management
Views
System view
Default Level
2: Configuration level
Usage Guidelines
NOTE
This command is valid only when the device does not work in route mode.
If hold time for the dynamic address exceeds its aging time stored in the address table, the dynamic address will be deleted.
Examples
# Set aging time of dynamic addresses to 100 seconds.
<Eudemon> system-view [Eudemon] firewall transparent-mode mac-aging-time 100
Format
firewall unknown-mac unicast { drop | arp | flood } firewall unknown-mac { broadcast | multicast } { drop | flood } undo firewall unknown-mac [ unicast | broadcast | multicast ]
Parameters
unicast: processes unicast IP packets. multicast: processes multicast IP packets. broadcast: processes broadcast IP packets. drop: discards all IP packets with unknown MAC address. arp: discards original IP packets and broadcast ARP request packets to other interfaces (not including the interface receiving packets), so as to obtain the MAC address corresponding to the destination address in the original packet. flood: sends all received packets to other interfaces (not including the interface receiving packets) that must belong to a security area. After receiving the response packet, the Eudemon will save the MAC address information, then forward subsequent packets using this address.
1-58 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
System view
Default Level
2: Configuration level
Usage Guidelines
NOTE
This command is valid only when the device does not work in route mode.
By default, the system discards IP packets with unknown MAC address. In some cases, the Eudemon might receive IP packets with unknown destination MAC address (such as configured static ARP mapping items). In this way, the Eudemon cannot find the MAC address of the peer end when forwarding packets. Therefore, you need to specify one processing mode (drop packets, broadcast ARP request, or flood packets).
Examples
# Broadcast the IP packets with unknown MAC addresses in transparent mode.
<Eudemon> system-view [Eudemon] firewall unknown-mac broadcast flood
1 System Management
1.4.16 display ftp-server 1.4.17 display ftp-users 1.4.18 display startup 1.4.19 display this 1.4.20 execute 1.4.21 file prompt 1.4.22 format 1.4.23 ftp 1.4.24 ftp server enable 1.4.25 ftp timeout 1.4.26 get 1.4.27 lcd 1.4.28 ls 1.4.29 mkdir (User View) 1.4.30 mkdir (FTP Client View) 1.4.31 more 1.4.32 move 1.4.33 open 1.4.34 passive 1.4.35 put 1.4.36 pwd (User View) 1.4.37 pwd (FTP Client View) 1.4.38 quit (FTP Client View) 1.4.39 remotehelp 1.4.40 rename 1.4.41 reset recycle-bin 1.4.42 rmdir (User View) 1.4.43 rmdir (FTP Client View) 1.4.44 tftp 1.4.45 tftp-server acl 1.4.46 undelete 1.4.47 user 1.4.48 verbose
1-60 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
1.4.1 ascii
Function
Using the ascii command, you can set the transmission data type to ASCII.
Format
ascii
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
By default, the data type is ASCII.
Examples
# Set the transmission data type to ASCII.
<Eudemon> ftp 1.0.0.1 [ftp] ascii 217:03:03 2009/04/29 200 Type is ASCII
1.4.2 binary
Function
Using the binary command, you can set file transmission type to binary.
Format
binary
Parameters
None
Views
FTP client view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-61
1 System Management
Default Level
3: Management level
Usage Guidelines
None
Examples
# Set the file transmission type to binary.
<Eudemon> ftp 1.1.1.0 [ftp] binary 17:03:24 2009/04/29 200 Type is Image (Binary)
1.4.3 bye
Function
Using the bye command, you can disconnect with the remote FTP server and return to the user view.
Format
bye
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Disconnect with the remote FTP server and return to the user view.
<Eudemon> ftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(1.1.1.1:(none)):123 331 Give me your password, please Password:
1-62
Issue 03 (2009-06-18)
1 System Management
230 Logged in successfully [ftp] bye 221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye <Eudemon>
Format
cd { directory | flash: }
Parameters
directory: Name of destination directory. It is a character string, whose length ranges from 1 to 64. flash: indicates the current working directory is flash:.
Views
User view
Default Level
3: Management level
Usage Guidelines
By default, the default working directory is used.
Examples
# Modify the current path to test.
<Eudemon> cd test <Eudemon> pwd flash:/test
Format
cd pathname
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-63
1 System Management
Parameters
pathname: specifies the directory. It is a string of 1 to 64 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command can be used to access the directory in another path on the FTP server.
Examples
# Change the working directory to d:/temp.
<Eudemon> ftp 10.1.1.1 [ftp] cd d:/temp
1.4.6 cdup
Function
Using the cdup command, you can change the working directory to the upper-level directory.
Format
cdup
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command is used to exit from current directory to an upper-level directory.
Examples
# Change the working directory to an upper-level directory.
1-64 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
<Eudemon> ftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(1.1.1.1:(none)):123 331 Give me your password, please Password: 230 Logged in successfully [ftp] cdup 250 "D:\" is current directory
1.4.7 close
Function
Using the close command, you can disconnect with the remote FTP server but remain in the FTP client view.
Format
close
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command terminates both control connection and data connection with the remote FTP server.
Examples
# Disconnect with the remote FTP server and remain in the FTP client view.
<Eudemon> ftp 10.1.1.1 [ftp] close [ftp]
1.4.8 copy
Function
Using the copy command, you can copy a file.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-65
1 System Management
Format
copy source-file-name dest-file-name
Parameters
source-file-name: specifies the source file name. It is a string of 1 to 64 characters. dest-file-name: specifies the destination file name. It is a string of 1 to 64 characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
If the destination file name is the same with an existing file, the user is prompted whether the existing file should be overwritten.
Examples
# Copy the file named mpu.pat from the fiash:/ to fiash:/log.
<Eudemon> cd fiash:/log <Eudemon> pwd fiash:/log <Eudemon> dir Directory of fiash:/log/ 0 -rw3838593 Aug 11 2008 19:10:16 log.txt 1 -rw8408190 May 31 2008 23:25:02 2008-05-31.23-25-23.log.txt 2 -rw8397654 Jun 01 2008 02:11:30 2008-06-01.02-11-52.log.txt 3 -rw8398518 Jun 01 2008 05:08:52 2008-06-01.05-09-57.log.txt 4 -rw8400914 Jun 01 2008 08:07:36 2008-06-01.08-08-38.log.txt 5 -rw8398046 Jun 02 2008 22:36:10 2008-06-02.22-36-51.log.txt 6 -rw8391024 Jun 09 2008 22:05:28 2008-06-09.22-05-31.log.txt 7 -rw8405959 Feb 03 2008 05:15:44 2008-02-03.05-16-25.log.txt 8 -rw8391417 Jun 13 2008 22:37:06 2008-06-13.22-37-31.log.txt 9 -rw8391448 Jun 15 2008 20:17:18 2008-06-15.20-18-20.log.txt 10 -rw8398351 Jun 17 2008 22:39:38 2008-06-17.23-01-43.log.txt 11 -rw8390431 Jun 30 2008 08:57:54 2008-06-30.08-58-25.log.txt 499688 KB total (245736 KB free) <Eudemon> copy fiash:/mpu.pat fiash:/log/mpu.pat100% complete Info:Copied file fiash:/mpu.pat to fiash:/log/mpu.pat...Done <Eudemon> dir Directory of fiash:/log/ 0 1 2 3 4 5 6 7 8 9 10 -rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw3838593 8408190 8397654 8398518 8400914 8398046 8391024 8405959 8391417 8391448 8398351 Aug May Jun Jun Jun Jun Jun Feb Jun Jun Jun 11 31 01 01 01 02 09 03 13 15 17 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 19:10:16 23:25:02 02:11:30 05:08:52 08:07:36 22:36:10 22:05:28 05:15:44 22:37:06 20:17:18 22:39:38 log.txt 2008-05-31.23-25-23.log.txt 2008-06-01.02-11-52.log.txt 2008-06-01.05-09-57.log.txt 2008-06-01.08-08-38.log.txt 2008-06-02.22-36-51.log.txt 2008-06-09.22-05-31.log.txt 2008-02-03.05-16-25.log.txt 2008-06-13.22-37-31.log.txt 2008-06-15.20-18-20.log.txt 2008-06-17.23-01-43.log.txt
1-66
Issue 03 (2009-06-18)
1 System Management
2008-06-30.08-58-25.log.txt mpu.pat
Format
debugging vfs { flash | low } undo debugging vfs { flash | low }
Parameters
flash: enables the Flash debugging. low: enables the debugging for the low-level interface.
Views
User view
Default Level
3: Management level
Usage Guidelines
By default, the debugging for the file system is disabled.
Examples
# Enable the Flash debugging of the file system.
<Eudemon> debugging vfs flash
Format
debugging
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-67
1 System Management
undo debugging
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
By default, debugging switch is disabled.
Examples
# Enable debugging switch.
<Eudemon> ftp 10.1.1.1 [ftp] debugging
Format
delete [ /unreserved ] [ flash:/ ] filename
Parameters
/unreserved: delete the specified file unreservedly, and the deleted file never can be restored. flash: indicates the Eudemon storage device. The files in the flash are deleted. file-name: specifies the name of the file to be deleted. The value is in the range of 1 to 64 characters.
Views
User view
Default Level
3: Management level
1-68 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
This command supports wildcard *. The deleted file is in the recycle bin. The dir command does not display the information of deleted files. However, by using the dir /all command, the information of all files under the directory, including deleted files, is displayed. The undelete command can be used to restore a file that has been deleted to the recycle bin through the delete command. To delete such a file from the recycle bin, you can use the reset recycle-bin command. If two files with the same filename in different directories are deleted to the recycle bin, only the file that is last deleted is kept.
Examples
# Delete flash:/test/test.txt.
<Eudemon> delete flash:/test/test.txt Delete flash:/test/test.txt?[Y/N]y %Deleting file flash:/test/test.txt...Done! <Eudemon>
Format
delete remotefile
Parameters
remotefile: specifies the file name. It is a string of 1 to 64 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Delete the file temp.c.
<Eudemon> ftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort
Issue 03 (2009-06-18)
1-69
1 System Management
Connected to 10.1.1.1. [ftp] delete temp.c 17:04:42 2009/04/29 250 File deleted from remote host.
Format
dir [ /all ] [ file-name ]
Parameters
/all: displays all files (including the deleted files). filename: specifies the name of the file or directory displayed. It is a string of 1 to 64 characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
By default, files in the current directory are displayed. This command supports "*" wildcard. The dir /all command can be used to display the information about all the files, including the deleted files. The names of the deleted files are denoted with "[]", for instance, [text]. The deleted files can be restored through the undelete command. The reset recycle-bin command can be used to delete the file from the recycle bin permanently.
Examples
# Display the information about the file flash:/test/test.txt.
<Eudemon> dir flash:/test/test.txt Directory of flash:/test/ -rwxrwxrwx 1 noone nogroup 6477 KBytes total (47 KBytes free)
2227
test.txt
1-70
Issue 03 (2009-06-18)
1 System Management
<Eudemon> dir flash:/test/t* Directory of flash:/test/ -rwxrwxrwx 1 noone nogroup 2227 Apr 18 2003 15:38:30 test.txt 6477 KBytes total (47 KBytes free) <Eudemon> dir /all flash:/test/ Directory of flash:/test/ -rwxrwxrwx 1 noone nogroup 2227 Apr 18 2003 15:38:30 test.txt -rwxrwxrwx 1 noone nogroup 2165 Apr 18 2003 15:36:52 sample.txt 6477 KBytes total (46 KBytes free) <Eudemon> dir /all flash:/test/t* Directory of flash:/test/ -rwxrwxrwx 1 noone nogroup 2227 Apr 18 2003 15:38:30 test.txt 6477 KBytes total (46 KBytes free)
Format
dir [ file-name ] [ localfile ]
Parameters
file-name: specifies the queried file name. It is a string of 1 to 64 characters. localfile: specifies the saved local file name. It is a string of 1 to 64 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Query the file temp.c and save the query information to the file temp1.
<Eudemon> ftp 10.1.1.1 [ftp] dir temp.c temp1
1.4.15 disconnect
Function
Using the disconnect command, you can disconnect with the remote FTP server and remain in the FTP client view.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-71
1 System Management
Format
disconnect
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command terminates both control connection and data connection with the remote FTP server.
Examples
# Disconnect with the remote FTP server and remain in the FTP client view.
<Eudemon> ftp 10.1.1.1 [ftp] disconnect [ftp]
Format
display ftp-server
Parameters
None
Views
All views
Default Level
3: Management level
1-72 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
After the FTP parameters are configured, this command can be used to display the configuration results.
Examples
# Display the parameter setting of FTP server.
<Eudemon> display ftp-server FTP server is running Max user number 5 User count 2 Timeout(minute) 30
The above information shows: FTP server has started, supporting at most five users to log in simultaneously, now two users have logged in, and timeout is 30 minutes.
Format
display ftp-users
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
None
Examples
# Display parameters of the FTP user.
<Eudemon> display ftp-users username host testuser 10.110.3.5 port 1074 topdir testuser idle 2
The above information shows: an FTP user establishes the connection with FTP server, user name of the user is testuser, and IP address of remote host is 10.110.3.5, remote port number is 1074, authorized directory is flash:/testuser, and the user has not sent service request to FTP server for 2 minutes.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-73
1 System Management
Format
display startup
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The output of the display startup command is as follows:
l l l l l
The file name of the system software configured by the user to be used in the current startup. The file name of the system software actually used in the current startup. The file name of the system software configured for the next startup. The configuration file name used for the current startup. The configuration file name configured for the next startup.
Examples
# Display the file names related to the current and the next startup.
<Eudemon> display startup Configed startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: NULL flash:/E200.bin NULL flash:/vrpcfg1.zip flash:/vrpcfg1.zip
1 System Management
Format
display this
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Some effective parameters are not displayed if they are the same with the default ones, while some parameters, though have been configured by the user, if their related functions are not effective, are not displayed either. For example, to an interface encapsulated with X.25, if you configure PPP parameters on this interface, you will see no PPP configuration when you execute the display this command. Associated configuration of the interface is displayed when executing the command in interface views; related configuration of the protocol view is displayed when executing this command in protocol views; and all the configuration of the protocol view is not displayed when executing this command in protocol sub-views.
Examples
# Display the effective running configuration of the current view.
<Eudemon> display this
1.4.20 execute
Function
Using the execute command, you can execute the specified batch file.
Format
execute file-name
Parameters
file-name: specifies the name of the batch file, suffixed with "bat". It is a string of 1 to 256 characters.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-75
1 System Management
Default Level
2: Configuration level
Usage Guidelines
The commands in the batch file are executed one by one. The batch file must not contain invisible characters. If any such characters are discovered, the execute command exists from the current process and no rollback is executed. The execute command does not ensure all the commands in the batch file can be executed. It cannot do a hot backup for itself. No restriction on the format and content is made to the batch file. The procedure of the execution of the batch file is an automatic procedure, equaling to the implementation of every commands manually.
Examples
# Execute the batch file test.bat in the directory flash:/.
<Eudemon> system-view [Eudemon] execute test.bat
Format
file prompt { alert | quiet }
Parameters
alert: enables interactive acknowledgement on the condition that the operation, such as deleting files, can cause the data loss or deleting a file. quiet: indicates no alert is given on the condition that the operation, such as deleting files, can cause the data loss or deleting a file.
Views
System view
Default Level
3: Management level
Usage Guidelines
By default, the alerting pattern is alert.
1-76 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
When the alerting pattern is set to quiet, no alert is given on the condition that the operation, such as deleting files, can cause the data loss or deleting a file.
Examples
# Set the alerting pattern of the file operation to quiet.
<Eudemon> system-view [Eudemon] file prompt quiet
1.4.22 format
Function
Using the format command, you can format the storage device.
Format
format file-system
Parameters
file-system: specifies the device name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Formatting results in the loss of all files. The lost files cannot be restored.
Examples
# Format FLASH.
<Eudemon> format flash: 17:07:06 2009/04/29 All data on flash: will be lost , proceed with format ? [Y/N]:
1.4.23 ftp
Function
Using the ftp command, you can set up a control connection with the remote FTP server and enter the FTP client view.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-77
1 System Management
Format
ftp [ host [ port ] ]
Parameters
host: specifies the IP address or the name of the remote FTP server. It is a string of 1 to 20 characters. port: specifies the port number of the remote FTP server. It is an integer that ranges from 0 to 65535.
Views
User view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Connect the remote FTP server with the IP address as 1.1.1.1.
<Eudemon> ftp 1.1.1.1
Format
ftp server enable undo ftp server
Parameters
None
Views
System view
1-78 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Default Level
3: Management level
Usage Guidelines
By default, the FTP server is disabled.
Examples
# Disable the FTP server.
<Eudemon> system-view [Eudemon] undo ftp server
Format
ftp timeout minutes undo ftp timeout
Parameters
minutes: specifies the timeout period, in minutes. It is an integer that ranges from 1 to 35791. By default, the timeout period of the FTP connection is 30 minutes.
Views
System view
Default Level
3: Management level
Usage Guidelines
After logging in to the FTP server, the user sets up a connection with the FTP server. If an abnormal disconnection occurs or the user abnormally cuts the connection, the FTP server is not notified and thus the connection is still kept. To avoid such a case, the timeout period is set. If no command interaction is conducted during this period, the FTP server considers the connection invalid and cuts the connection.
Examples
Set the timeout period of the FTP connection to 36 minutes.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-79
1 System Management
<Eudemon> system-view [Eudemon] ftp timeout 36
1.4.26 get
Function
Using the get command, you can download remote files and save them to the local device.
Format
get remote-file [ local-file ]
Parameters
remote-file: specifies the file name on the remote FTP server. It is a string of 1 to 64 characters. local-file: specifies the local file name. It is a string of 1 to 64 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
If the local file name is not specified, the downloaded file is saved using the same name with that of the file on the remote FTP server.
Examples
# Download temp1.c and save it with the name as temp.c.
<Eudemon> ftp 10.1.1.1 [ftp] get temp1.c temp.c
1.4.27 lcd
Function
Using the lcd command, you can get the local working directory of an FTP client.
Format
lcd
Parameters
None
1-80 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Display the local working path.
<Eudemon> ftp 10.1.1.1 [ftp] lcd % Local directory now d:/temp
1.4.28 ls
Function
Using the ls command, you can query a specified file and save the results to a specified file.
Format
ls [ remote-file ] [ local-file ]
Parameters
remote-file: specifies the queried remote file. The name is a string of 1 to 64 characters. local-file: specifies the name of the local file that stores the results. The name is a string of 1 to 64 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
By default, all the files are displayed if you do not specify any parameters.
Examples
# Query temp.c.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-81
1 System Management
<Eudemon> ftp 10.1.1.1 [ftp] ls temp.c
Format
mkdir directory
Parameters
directory: specifies a directory name. The value is a string of 1 to 64 characters, and the maximum length of the directory name at each level is 15 characters. The name of the directory should not include the following characters: ~, /, \, : , *, ".
Views
User view
Default Level
3: Management level
Usage Guidelines
Note that the created directory name can not be the same as other directory or file names in the specified directory.
Examples
# Create a directory dd.
<Eudemon> mkdir dd Created dir dd.
Format
mkdir pathname
1-82 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
pathname: specifies the directory name. The value is a string of 1 to 64 characters, and the maximum length of the directory name at each level is 15 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Create a directory test at the remote FTP server.
<Eudemon> ftp 10.1.1.1 [ftp] mkdir test
1.4.31 more
Function
Using the more command, you can display a specified file.
Format
more file-name
Parameters
file-name: specifies the file name. It is a string of 1 to 64 characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
By default, the system displays a file in text form, namely, it displays the content of a file.
Examples
# Display the content of the file test.txt.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-83
1 System Management
<Eudemon> more test.txt AppWizard has created this test application for you. This file contains a summary of what you will find in each of the files that make up your test application. Test.dsp This file (the project file) contains information at the project level and is used to build a single project or subproject. Other users can share the project (.dsp) file, but they should export the makefiles locally.
1.4.32 move
Function
Using the move command, you can move a file.
Format
move source-file-name dest-file-name
Parameters
source-file-name: specifies the source file name. It is a string of 1 to 64 characters. dest-file-name: specifies the destination file name. It is a string of 1 to 64 characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
If the name of the destination file is the same with the name of an existing directory, the execution will fail. If the name of the destination file is the same with an existing file, the display whether the existing file should be overwritten prompts.
Examples
# Move the sample.txt file from flash:/test/sample.txt to flash:/sample.txt.
<Eudemon> dir Directory of flash:/ -rwxrwxrwx1 noone nogroup 121692 Apr 18 2003 11:17:26 matnLog.dat -rwxrwxrwx1 noone nogroup 956 Mar 19 2003 09:12:55 exception.dat -rwxrwxrwx1 noone nogroup 2165 Apr 04 2003 20:48:23 vrpcfg.cfg -rwxrwxrwx1 noone nogroup 6434223 Mar 29 2003 16:28:20 vrp3.cc drwxrwxrwx1 noone nogroup Apr 18 2003 15:29:49 test 6477 KBytes total (48 KBytes free) <Eudemon> dir flash:/test/ Directory of flash:/test/ -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup
2227 Apr 18 2003 15:38:30 test.txt 2165 Apr 18 2003 15:36:52 sample.txt
1-84
Issue 03 (2009-06-18)
1 System Management
<Eudemon> dir Directory of flash:/ -rwxrwxrwx1 noone nogroup 121692 Apr 18 2003 11:17:26 matnLog.dat -rwxrwxrwx1 noone nogroup 956 Mar 19 2003 09:12:55 exception.dat -rwxrwxrwx1 noone nogroup 2165 Apr 04 2003 20:48:23 vrpcfg.cfg -rwxrwxrwx1 noone nogroup 6434223 Mar 29 2003 16:28:20 vrp3.cc drwxrwxrwx1 noone nogroup Apr 18 2003 15:29:49 test -rwxrwxrwx1 noone nogroup 444 Apr 18 2003 15:40:00 sample.txt 6477 KBytes total (47 KBytes free) <Eudemon> dir flash:/test/ Directory of flash:/test/ -rwxrwxrwx 1 noone nogroup 6477 KBytes total (47 KBytes free)
2227
test.txt
1.4.33 open
Function
Using the open command, you can set up a control connection with the remote FTP server.
Format
open ip-address [ port ]
Parameters
ip-address: specifies the IP address of the remote FTP server. It is a string with 1 to 20 characters. port: specifies the port number of the remote FTP server. It is an integer that ranges from 0 to 65535.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Establish FTP connection with the host with an address 10.110.3.1.
<Eudemon> ftp 10.1.1.1 [ftp] open 10.110.3.1
1.4.34 passive
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-85
1 System Management
Function
Using the passive command, you can set data transmission mode to passive. Using the undo passive command, you can set data transmission mode to active.
Format
passive undo passive
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
By default, the transmission mode is passive.
Examples
# Set data transmission mode to passive.
<Eudemon> ftp 10.1.1.1 [ftp] passive
1.4.35 put
Function
Using the put command, you can upload a local file to the remote FTP server.
Format
put local-file [ remote-file ]
Parameters
local-file: specifies the local file name. It is a string of 1 to 64 characters. remote-file: specifies the file name on the remote FTP server. It is a string of 1 to 64 characters.
Views
FTP client view
1-86 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Default Level
3: Management level
Usage Guidelines
If no file name on the remote server is specified, the uploaded file uses the same with that of the local file.
Examples
# Upload the local file temp.c to the remote FTP server and save it with the name as temp1.c.
<Eudemon> ftp 10.1.1.1 [ftp] put temp.c temp1.c
Format
pwd
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
If you have not set the current path, the operation will fail.
Examples
# Display the current directory.
<Eudemon> pwd flash:/test
1 System Management
Function
Using the pwd command, you can display the working directory on the remote FTP server.
Format
pwd
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Display the working directory on the remote FTP server.
<Eudemon> ftp 10.1.1.1 [ftp] pwd 17:07:47 2009/04/29 257 "F:\FileServer" is current directory
Format
quit
Parameters
None
Views
FTP client view
1-88 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Default Level
3: Management level
Usage Guidelines
None
Examples
# Disconnect with the remote FTP server and exit from the user view.
<Eudemon> ftp 10.1.1.1 [ftp] quit
1.4.39 remotehelp
Function
Using the remotehelp command, you can display the help of FTP commands.
Format
remotehelp [ protocol-command ]
Parameters
protocol-command: specifies the FTP command. It is of 1 to 16 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Display the syntax of the user command.
<Eudemon> ftp 10.1.1.1 [ftp] remotehelp user 214 Syntax: USER <sp> <username>
1.4.40 rename
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-89
1 System Management
Function
Using the rename command, you can rename a file.
Format
rename source-file-name dest-file-name
Parameters
source-file-name: specifies the source file name. It is a string of 1 to 64 characters. dest-file-name: specifies the destination file name. It is a string of 1 to 64 characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
If the name of the destination file is the same as that of an existing directory or an existing file, the system prompts an error message.
Examples
# Rename the file sample.txt as sample.bak.
<Eudemon> rename sample.txt sample.bak 17:08:27 2009/04/29 %Rename file flash:/sample.txt to flash:/sample.bak ......Done.
Format
reset recycle-bin [ file-name ]
Parameters
file-name: specifies the name of the file to be deleted. It is a string of 1 to 64 characters.
Views
User view
1-90 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Default Level
3: Management level
Usage Guidelines
The command supports asterisk wildcard. Using the delete (User View) command in the user view, you can remove a file to the recycle bin only. To delete this file permanently, use the reset recycle-bin command.
Examples
# Delete the files in the recycle bin.
<Eudemon> reset recycle-bin flash:/p1h_logic.out 17:09:25 2009/04/29 Clear file from flash will take a long time if needed......Done!. %Cleared file flash:/p1h_logic.out.
Format
rmdir directory
Parameters
directory: specifies the name of the directory. The value is a string of 1 to 64 characters, and the maximum length of the directory name at each level is 15 characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
The directory to be deleted must be an empty one.
Examples
# Delete the directory test.
<Eudemon> rmdir test 17:11:37 2009/04/29 %Removing directory flash:/test.....Done!
Issue 03 (2009-06-18)
1-91
1 System Management
Format
rmdir pathname
Parameters
pathname: specifies the directory name on the remote FTP server. It is a string ranging from 1 to 64 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Delete the d:/temp1 directory on the FTP server.
<Eudemon> ftp 10.1.1.1 [ftp] rmdir d:/temp1
1.4.44 tftp
Function
Using the tftp command, you can upload the file to the TFTP server or download the file on the TFTP server to the local.
Format
tftp { X.X.X.X | host-name } { get | put } source-file-name [ dest-file-name ]
Parameters
X.X.X.X: specifies the IP address of TFTP server. host-name: specifies the host name of TFTP server. get: downloads files.
1-92 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
put: uploads files. source-file-name: specifies the source file name. It is a string of 1 to 56 characters. dest-file-name: specifies the destination file name. It is a string of 1 to 64 characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Download the vrpcfg.txt file at the root directory of the TFTP server to the local hard disk. IP address of the TFTP server is 1.1.254.2. Save the downloaded file with the name as vrpcfg.bak.
<Eudemon> tftp 1.1.254.2 get vrpcfg.txt hda1:/vrpcfg.bak
# Upload the vrpcfg.txt file at the root directory of the flash to the default directory of the TFTP server. IP address of the TFTP server is 1.1.254.2. Save the uploaded file with the name as vrpcfg.bak.
<Eudemon> tftp 1.1.254.2 put flash:/vrpcfg.txt vrpcfg.bak
Format
tftp-server acl acl-number undo tftp-server acl
Parameters
acl-number: specifies the basic ACL number. It is an integer that ranges from 2000 to 2999.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-93
1 System Management
Default Level
3: Management level
Usage Guidelines
None
Examples
# Set ACL number of TFTP server to access to 2001.
<Eudemon> system-view [Eudemon] tftp-server acl 2001
1.4.46 undelete
Function
Using the undelete command, you can restore a deleted file.
Format
undelete file-name
Parameters
file-name: specifies the name of the file to be restored. It is a string of 1 to 64 characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
If the name of the file to be restored is the same with the name of an existing directory, the execution fails. If the name of this file is the same with that of an existing file, the display whether to overwrite the current file name prompts.
Examples
# Restore the deleted file sample.bak.
<Eudemon> undelete sample.bak Undelete flash:/test/sample.bak?[Y/N]:y % Undeleted file flash:/test/sample.bak
1.4.47 user
1-94 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Function
Using the user command, you can re-log on to the FTP user.
Format
user user-name [ password ]
Parameters
user-name: specifies the login user name. It is a string of 1 to 32 characters. password: specifies the login password. It is a string of 1 to 16 characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Log in to the FTP server with the user name tom and the password bjhw.
<Eudemon> ftp 10.1.1.1 [ftp] user tom bjhw
1.4.48 verbose
Function
Using the verbose command, you can enable the verbose function. Using the undo verbose command, you can disable the verbose function.
Format
verbose undo verbose
Parameters
None
Views
FTP client view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-95
1 System Management
Default Level
3: Management level
Usage Guidelines
By default, the verbose function is disabled.
Examples
# Enable the verbose function.
<Eudemon> ftp 10.1.1.1 [ftp] verbose
1 System Management
1.5.23 info-center logbuffer 1.5.24 info-center loghost 1.5.25 info-center loghost source 1.5.26 info-center loghost type 1.5.27 info-center monitor channel 1.5.28 info-center snmp channel 1.5.29 info-center source 1.5.30 info-center timestamp 1.5.31 info-center trapbuffer 1.5.32 license file 1.5.33 patch 1.5.34 ping 1.5.35 reboot 1.5.36 reset logbuffer 1.5.37 reset saved-configuration 1.5.38 reset trapbuffer 1.5.39 save 1.5.40 service modem-callback 1.5.41 session log enable 1.5.42 startup system-software 1.5.43 startup saved-configuration 1.5.44 terminal debugging 1.5.45 terminal logging 1.5.46 terminal monitor 1.5.47 terminal trapping 1.5.48 tracert
Format
compare configuration [ line-number1 line-number2 ]
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-97
1 System Management
Parameters
line-number1: specifies the start line number in the current configuration file for comparing. It is an integer that ranges from 0 to 65535. line-number2: specifies the start line number in the saved configuration file for comparing. It is an integer that ranges from 0 to 65535.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
If no parameter is specified, the system compares the saved configuration file and the current configuration file from the first line. If the two parameters are specified, the system skips the difference before the compared lines and continues to compare differences between the configuration files. Finally, the system outputs the differences (namely locating the differences) respectively between the saved configuration file and the current configuration files. By default, the output difference information is restricted to 150 characters. If it is less than 150 characters, differences till the end of two files are displayed.
Examples
# Compare configuration files.
<Eudemon> compare configuration WARNING:the current configuration is NOT the same as the saved configuration! ====== Current configuration line 34 ====== ip address 10.1.2.1 255.0.0.0 # interface NULL0 # firewall zone local set priority 100 # firewall zone trust ====== Saved configuration line 34 ====== # interface NULL0 # firewall zone local set priority 100 # firewall zone trust add interface GigabitEthernet0/0/0 se
1 System Management
Function
Using the debugging command, you can enable debugging switch. Using the undo debugging command, you can disable debugging switch.
Format
debugging { all [ timeout time-value ] | module-name { debug-option1 } [ debug-option2 ] ... } undo debugging { all | module-name { debug-option1 } [ debug-option2 ] ... }
Parameters
all: enables or disables all debugging switches. By default, all debugging switches are disabled. timeout time-value: indicates the duration of debugging commands after the debugging is enabled. When the set duration reaches the limit, the system automatically disables the debugging. It is in minutes, ranging from 1 to 1440. The default value is 1 minute. module-name: specifies a Module name. debug-option: specifies a debugging option.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
The device system provides kinds of debugging, which are generally used to perform network fault diagnosis by technical support personnel and qualified maintenance personnel. After the debugging switch is enabled, the system will generate a lot of debugging information and lower its efficiency. Especially after all debugging switches are enabled through the debugging all command, the network crash may occur. It is recommended that you should not use the debugging all command. However, you can conveniently disable all debugging switches using the undo debugging all command.
Examples
# Enable IP Packet debugging switch.
<Eudemon> debugging ip packet IP packet debugging switch is on.
1 System Management
Using the undo debugging license command, you can disable the debugging of License.
Format
debugging license undo debugging license
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enable the debugging function for License.
<Eudemon> debugging license
Format
display saved-configuration
Parameters
None
Views
All views
Default Level
1: Monitoring level
1-100 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
When powered on, if the Eudemon could not work normally, you can use the display savedconfiguration command to check the configuration files used during Eudemon startup.
Examples
# Display the configuration file saved in the storage device.
<Eudemon> display saved-configuration
Format
display current-configuration [ interface [ interface-type interface-number ] | configuration [ configuration-name ] ] [ | { begin | exclude | include } regular-expression ]
Parameters
configuration configuration-name: outputs the information of specified configuration. interface-type: interface type. interface-type: specifies the interface type. interface-number: specifies the interface number. begin regular-expression: outputs all lines that starts from the line of the match specified regular expression. exclude regular-expression: outputs all lines of the mismatch specified regular expression. include regular-expression: only outputs all lines of the match specified regular expression.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If the parameter is configured as its default value, the system will not display the parameter configuration.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-101
1 System Management
After the configurations are complete, use the display current-configuration command to view which parameters take effect. If the configured parameters have not taken effect, there is no display. For example, the link layer on a certain interface is encapsulated with X.25, and you have configured PPP parameter on the interface, but after executing the display currentconfiguration command, you can not view the PPP configuration on the interface.
Examples
# Display the currently effective configurations.
<Eudemon> display current-configuration configuration aaa # aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # return
Format
display channel [ channel-number | channel-name ]
Parameters
channel-number: specifies the channel number. It is an integer that ranges from 0 to 9. That is, the system has 10 channels. channel-name: specifies the channel name.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If no parameter is specified in the command, the setting status of all channels is displayed.
Examples
# Display the content of channel 0.
1-102 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
<Eudemon> display channel 0 channel number:0, channel name:console MODU_ID NAME ENABLE LOG LEVEL ENABLE TRAP LEVEL ENABLE DEBUG LEVEL ffff0000 all Y warning Y debugging Y debugging
Format
display debugging [ interface interface-type interface-number ] [ module-name ]
Parameters
module-name: specifies a module name. interface-type: specifies the type of an interface. interface-number: specifies the number of an interface.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
By default, all the enabled debugging is displayed when no parameter is specified.
Examples
# Display all the enabled debugging.
<Eudemon> display debugging IP packet debugging switch is on.
Format
display diagnostic-information
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-103
1 System Management
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View technology support information.
<Eudemon> display diagnostic-information
Format
display environment
Parameters
None
Views
All views
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# View the temperature and voltage of the current monitor point.
1-104 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
<Eudemon> display environment Environment information: Temperature information: local CurrentTemperature LowLimit HighLimit Status (Celsius) (Celsius) (Celsius) (OK/FAIL) CPU 43 0 60 OK VENT 27 0 40 OK Voltage information: -----------------------------------------------------------------CheckPoint ReferenceVol Range CurrentVol Status DDR 1.8V 1710~ 1890 mV 1800mV OK IO-1 2.5V 2362~ 2613 mV 2494mV OK IO-2 3.3V 3126~ 3455 mV 3299mV OK IO-3 1.8V 1710~ 1890 mV 1820mV OK CPU 1.0V 950~ 1050 mV 1000mV OK FAN 9.0V 8520~ 9420 mV 9060mV OK USB 5.0V 4732~ 5226 mV 5070mV OK ------------------------------------------------------------------
Format
display firewall logtime [ defend | acl | statistic ]
Parameters
defend: displays the scan interval of attack-defense logs. acl: displays the scan interval of acl logs. statistic: displays the scan interval of statistics logs.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the scan interval of attack-defense logs.
<Eudemon> display firewall logtime defend Atack logtime is 30 s.
Issue 03 (2009-06-18)
1-105
1 System Management
Format
display firewall statistic stream { application | basic-protocol | interface }
Parameters
application: statistics for the traffic of each protocol at the application layer, in the unit of Kbit/ s. The protocols include EMAIL, FTP, HTTP, QQ, DNS, MSN, SIP, H323, RTSP, GTCP, and GUDP. GTCP indicates the sum of all TCP-based protocol traffic. GUDP indicates the sum of all UDP-based protocol traffic. basic-protocol: statistics for the traffic of each basic protocol, in the unit of Kbit/s. The basic protocols include TCP, UDP, ICMP, and OTHER. OTHER indicates the basic protocols except TCP, UDP, and ICMP. interface: statistics for the message tranception speed at each interface, in the unit of Kbit/s.
Views
All views
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# View the message tranception speed at each interface of the Eudemon.
<Eudemon> display firewall statistic stream interface
Format
display info-center [ statistics ]
1-106 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
statistics: displays the statistics in the information center.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display all the information recorded in the information center.
<Eudemon> display info-center Information Center: enabled Log host: Console: channel number : 0, channel name : console Monitor: channel number : 1, channel name : monitor SNMP Agent: channel number : 5, channel name : snmpagent Log buffer: enabled,max buffer size 1024, current buffer size 256, current messages 4, channel number : 4, channel name : logbuffer dropped messages 0, overwritten messages 0 Trap buffer: enabled,max buffer size 1024, current buffer size 256, current messages 0, channel number:3, channel name:trapbuffer dropped messages 0, overwritten messages 0 logfile: channel number : 9, channel name : channel9, language : english Information timestamp setting: log - datetime, trap - datetime, debug - uptime Sent messages = 14, Received messages = 13 IO Reg messages = 0 IO Sent messages = 0
Format
display license
Parameters
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-107
1 System Management
Views
All views
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Display the information about the license.
<Eudemon> display license
Format
display logbuffer [ common-log | sec-log ] [ size number | level level-number | | { begin | include | exclude } text ] * display logbuffer summary [ level level-number ]
Parameters
common-log: displays common logbuffer status and configuration information. sec-log: displays security logbuffer status and configuration information. size number: displays the number of information items in the specified logging buffer. It is an integer that ranges from 1 to 1024. level level-number: displays the specified information level. It is an integer that ranges from 1 to 8. |: filters the output using the regular expressions. begin: displays the configuration beginning with the specified string (string). include: displays the configuration including the specified string (string). exclude: displays the configuration excluding the specified string (string). text: specifies the regular expression. summary: displays the summary of the logging buffer.
1-108 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the information in the logging buffer.
<Eudemon> display logbuffer Logging buffer configuration and contents:enabled Allowed max buffer size : 1024 Actual buffer size : 512 Channel number : 4 , Channel name : logbuffer Dropped messages : 0 Overwritten messages : 2959 Current messages : 512 2008-12-23 10:30:28 Eudemon %%01HWCM/5/TRAPLOG(l): 1.3.6.1.4.1.2011.6.10.2.0.1 configure changed: EventIndex=156,CommandSource=1,ConfigSource=3,ConfigDestination=2 ... ... ...
Table 1-4 shows the description of the display logbuffer command output. Table 1-4 Description of the display logbuffer command output Item Logging Buffer Configuration and contents allowed max buffer size actual buffer size channel number channel name dropped messages overwritten messages current messages Description Status of the log buffer Maximum log buffer size Actual log buffer size Channel number Channel name Discarded massages Superseded messages Current messages
1 System Management
Function
Using the display patch-information command, you can view patch information of the Eudemon.
Format
display patch-information
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Display patch information of the Eudemon.
<Eudemon> system-view [Eudemon] display patch-information ----------Patch information---------patch version : program version : temp patch number : 0 common patch number : 0 current patch number : 0 running patch number : 0 active patch number : 0 patch area length : 0x100000 patch area start address: 0x100000
Format
diaplay trapbuffer [ size sizeval ]
1-110 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
size sizeval: specifies the number of the information items to be displayed in the specified alarm buffer. It is an integer that ranges from 1 to 1024.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
By default, if no parameter is specified in the command, all the information in the trapping buffer is displayed. If the information number in the current alarm buffer is smaller than sizeval, the actual items of the alarm information are displayed.
Examples
# Display the information in the alarm buffer.
<Eudemon> display trapbuffer Trapping Buffer Confiuration and contents: enabled allowed max buffer size : 1024 actual buffer size : 256 channel number : 3 , channel name : trapbuffer dropped messages : 0 overwritten messages : 0 current messages : 0
1 System Management
Format
firewall log stream enable undo firewall log stream enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the traffic monitoring log function is disabled.
Examples
# Enable the traffic monitoring log function of the Eudemon.
<Eudemon> system-view [Eudemon] firewall log stream enable
Format
firewall { defend | acl | statistic } log-time value undo firewall { defend | acl | statistic } log-time
Parameters
defend value: configures the regular scan interval of defense prevention log buffer. It is an integer that ranges from 1 to 65535 seconds. The default value is 30 seconds. acl value: configures the regular scan interval of ACL log buffer. It is an integer that ranges from 1 to 10, in seconds. The default value is 1 second. statistic value: configures the regular scan interval of statistics log buffer. It is an integer that ranges from 1 to 65535, in seconds. The default value is 30 seconds.
1-112 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the time to scan attack-defending log buffer to 100s.
<Eudemon> system-view [Eudemon] firewall defend log-time 100
Format
firewall session log-type { syslog | binary host ip-address port } undo firewall session log-type
Parameters
syslog: outputs traffic log in text format. binary: outputs traffic log in binary-flow format. host ip-address: specifies the IP address of the binary log host. port: specifies the UDP port of the binary log host. It is an integer that ranges from 1024 to 65535.
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-113
1 System Management
Usage Guidelines
Logs can be output in text format or binary format.
Examples
# Output traffic log in binary format (host address is set to 10.110.93.178 and port number is set to 500).
<Eudemon> system-view [Eudemon] firewall session log-type binary host 10.110.93.178 500
Format
info-center channel channel-number name channel-name undo info-center channel channel-number
Parameters
channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10 channels. channel-name: specifies a channel name. It can be 1 to 30 characters. The first character of the channel name cannot be numbers or characters as follows: - / \
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The channels should have the same name.
Examples
# Name channel 0 as "execconsole".
<Eudemon> system-view [Eudemon] info-center channel 0 name execconsole
1-114
Issue 03 (2009-06-18)
1 System Management
Format
info-center console channel { channel-number | channel-name } undo info-center console channel
Parameters
channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10 channels. channel-name: specifies the channel name.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the log information is output to the console. This command takes effect only when the log information center is started up.
Examples
# Output the information to the console through a specified channel.
<Eudemon> system-view [Eudemon] info-center console channel console
1 System Management
Format
info-center enable undo info-center enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the information center is enabled. The system outputs the information to the log host and the console after the information center is started up.
Examples
# Enable the information center.
<Eudemon> system-view [Eudemon] info-center enable % information center is enabled
Format
info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ] * undo info-center logbuffer [ channel | size ]
Parameters
channel: sets the channel for outputting the information to the log buffer. channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10 channels. channel-name: specifies the channel name.
1-116 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
size: sets the size of the log buffer. buffersize: specifies the size of the log buffer (the number of messages in the buffer). The value is in the range of 0 to 1024.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, allow to output the information the log buffer and the log buffer size is 512. This command takes effect only when the information center is started up. By setting the size of the logging buffer, you can control the output information in this direction.
Examples
# Enable the Eudemon to send information to the log buffer, and set the size of log buffer to 50.
<Eudemon> system-view [Eudemon] info-center logbuffer size 50
Format
info-center loghost X.X.X.X [ channel { channel-number | channel-name } | facility localnumber | language { chinese | english } | source { all | public | vpn-instance vpn-instancename } ] * undo info-center loghost X.X.X.X
Parameters
X.X.X.X: specifies the IP address of the log host. channel: sets the information channel of the log host. channel-number: specifies the channel number. The value is in the range of 0 to 9. That is the system has 10 channels. channel-name: specifies the channel name. facility: sets the tool used by the log host to record information.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-117
1 System Management
local-number: specifies the tool used by the log host to record information. It is in the range of local0 to local7. language: sets the language for the recorded information. chinese, english: log record language, either Chinese or English can be selected. source: indicates the information source related to a VPN. all: indicates all public network and VPN instances. public: indicates the public network. vpn-instance vpn-instance-name: specifies one VPN instance.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, no information is output to the log host. By default, the information channel of the log host uses the No.2 information channel, whose channel name is log host. The local-number of the tool used by the log host to record is local7. The language is english. This command takes effect only when the information center is started up. By setting the IP address of logging host, you can control the output information on the specified direction. At most, the system has 4 log hosts.
Examples
# Enable the Eudemon to send information to UNIX workstation with the IP address 202.38.160.1.
<Eudemon> system-view [Eudemon] info-center loghost 202.38.160.1
Format
info-center loghost source interface-type interface-number
1-118 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
interface-type: specifies the type of the interface. interface-number: specifies the number of the interface.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the source address of the packet sent by a Eudemon is the IP address of the interface from which the packet is sent out. If several Eudemons output the information to the same log host, use this command to set different source interfaces on Eudemons. In this way, you can determine from which Eudemon the packet is sent and search the received messages conveniently.
Examples
# Set IP address of the interface Loopback 0 as the source address sending log message.
<Eudemon> system-view [Eudemon] interface loopback 0 [Eudemon-LoopBack0] ip address 1.1.1.1 255.255.255.0 [Eudemon-LoopBack0] quit [Eudemon] info-center loghost source loopback 0
Format
info-center loghost type { linux | other | unix | windows } undo info-center loghost type
Parameters
linux: selects the Linux operating system. other: selects another operating system.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-119
1 System Management
unix: selects the Unix operating system. windows: selects the Windows operating system.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the operating system of the log server host to Unix.
<Eudemon> system-view [Eudemon] info-center loghost type unix
Format
info-center monitor channel { channel-number | channel-name } undo info-center monitor channel
Parameters
channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10 channels. channel-name: specifies the channel name.
Views
System view
Default Level
2: Configuration level
1-120 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
By default, no information is output to the user terminal. This command takes effect only when the information center is started up.
Examples
# Output the information to the user terminal through a specified channel.
<Eudemon> system-view [Eudemon] info-center monitor channel monitor
Format
info-center snmp channel { channel-number | channel-name } undo info-center snmp channel
Parameters
channel-number: specifies the channel number, in the range of 0 to 9. That is, the system has 10 channels. By default, channel 5 is used. channel-name: specifies the channel name.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set channel 6 as the SNMP information channel.
<Eudemon> system-view [Eudemon] info-center snmp channel 6
1 System Management
Function
Using the info-center source command, you can add records to the information channel. Using the undo info-center source command, you can remove the records in the information channel.
Format
info-center source { module-name | default } { channel { channel-number | channel-name } } [ log { state { on | off } | level severity } * | trap { state { on | off } | level severity } * | debug { state { on | off } | level severity } * ] * undo info-center source { module-name | default } { channel { channel-number | channelname } }
Parameters
module-name: specifies the module names. default: sets default information record. channel-number: specifies the number of the information channel. It ranges from 1 to 9. channel-name: specifies the name of the channel to be set. log: specifies the logs. By default, state of log information is set as on, and information level as informational. trap: specifies the alarms. By default, state of trap information is set as on, and information level as informational. debug: specifies the debugging information. By default, state of debugging information is set as off. on: enables information. off: disables information. level: sets information level to disable sending out information whose level is higher than severity. severity: specifies the information level. The information center divides the information into 8, as shown in Table 1-5. The severer the information is, the lower the information level is. For example, the level of emergencies is 1 while that of debugging is 8. Table 1-5 Definition of eight information levels Severity Emergencies Level 1 Description A fatal fault, such as the program works abnormally or the device memory is wrongly used, occurs to the device. The system must restart. An important fault, such as the device memory reaches the high limit, occurs to device. The fault then needs to be removed immediately.
Issue 03 (2009-06-18)
Alerts
1-122
1 System Management
Severity Critical
Level 3
Description A crucial fault occurs, such as the memory occupancy reaches the lowest limit, the temperature reaches the lowest limit. The fault then needs to be analyzed and removed. A fault caused by wrong operation or wrong process occurs, such as wrong user password or wrong protocol packets are received from other devices.The fault does not influence the following service but needs to be paid attention to. An abnormity situation of the running device occurs, such as the user disables the routing process.The fault needs to be paid attention to since it may affect the service provision. Indicates the key operations used to keep the device run normally, such as the shutdown command, neighbor discovery or the state machine. Indicates the common operations to keep the device run normally, such as the display command. Indicates the common information of the device that need not be paid attention to.
Errors
Warnings
Notifications
Informational Debugging
7 8
Views
System view
Default Level
2: Configuration level
Usage Guidelines
At present, the system allocates one information channel for each output direction as shown in Table 1-6. Table 1-6 Definition of the default information channel for each output direction Output Direction Console Monitor terminal Logging host Alarm buffer Logging buffer snmp
Issue 03 (2009-06-18)
Default Information Channel Name console monitor loghost trapbuffer logbuffer snmpagent
1-123
1 System Management
A default record is set for each information channel. Its module name is "default" and module number is 0xffff0000. However, for different information channels, the record has different default values for the log, alarm and debugging information. The default configuration record will be used if a module has no specified configuration record in the channel.
Examples
# Enable the log information of the AAA module in the SNMP channel, and the highest level of the output information is emergencies.
<Eudemon> system-view [Eudemon] info-center source aaa channel snmpagent log level emergencies
Format
info-center timestamp { trap | debugging | log } { boot | date | none | format-date | shortdate } [ precision-time { millisecond | tenthsec } ] undo info-center timestamp { trap | debugging | log }
Parameters
trap: indicates the alarm information. debugging: indicates the debugging information. log: indicates the log information. boot: indicates the time passed since the system starts. It is a relative time period. The format is xxxxxx.yyyyyy. xxxxxx is the high 32 bits of the milliseconds passed since the system starts while yyyyyy is the low 32 bits of the milliseconds passed since the system starts. date: indicates the current date and time in the system. Its format is yyyy/mm/dd-hh:mm:ss in Chinese environment and is mm/dd/yyyy-hh:mm:ss in English environment. none: indicates the output information contain no time stamp. format-date: indicates the type of the format time. short-date: indicates the type of the short date time. precision-time: indicates the time precision of an information time stamp.
1-124 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
millisecond: indicates an information time stamp to be precise to milliseconds. tenthsec: indicates an information time stamp to be precise to 0.1 seconds.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the date time stamp is used in the alarm and log information, and the boot time stamp is used in the debugging information.
Examples
# Set the time stamp format of alarm information as boot.
<Eudemon> system-view [Eudemon] info-center timestamp trap boot
Format
info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] * undo info-center trapbuffer [ channel | size ]
Parameters
channel: sets the channel for outputting information to the alarm buffer. channel-number: sets the channel number, in the range of 0 to 9. That is, the system has 10 channels. channel-name: sets the channel name. size: sets the size of trap buffer. By default, outputting information to trap buffer is enabled, and buffer size is set to 256. buffersize: sets the size of the alarm buffer (the number of information in the buffer). It is an integer that ranges from 0 to 1024.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-125
1 System Management
Views
System view
Default Level
2: Configuration level
Usage Guidelines
This command takes effect only when information center is started up. By setting the size of the logging buffer, you can control the output information in this direction.
Examples
# Enable the Eudemon to send information to the alarm buffer and set the size of the alarm buffer to 30.
<Eudemon> system-view [Eudemon] info-center trapbuffer size 30
Format
license file [ license-file ] undo license file
Parameters
license-file: specifies the name of the license file in the format of *.dat. The extension name .dat cannot be omitted. The value is a string of 1 to 64 characters.
Views
System view
Default Level
3: Management level
Usage Guidelines
If you want to use more than two VPN instances, GTPs, or dual-system hot backup, purchase licenses from Huawei.
1-126 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Each license file has one unique matched equipment. If the license file does not match the equipment, the license cannot be successfully activated. After the license is activated, the Eudemon supports a minimum of five VPN instances. If you need more VPN instances, purchase new licenses. After a license file is activated, the new features can be immediately used. After a license file if deactivated, the new features cannot be used. After a license file is activated, it is valid permanently. An activated license file cannot be deleted, overwritten, and renamed. By default, an activated license file is unavailable on the Eudemon.
Examples
# Activate the license file.
<Eudemon> system-view [Eudemon] license file 200.dat
1.5.33 patch
Function
Using the patch command, you can set the status of Eudemon patches.
Format
patch { active patch-id | deactive patch-id | delete patch-id | load file-name | run patch-id }
Parameters
active: activates the patch. deactive: deactivates the patch. delete: deletes a specific patch. load: uploads a patch. file-name indicates the name of a patch. It is an integer that ranges from 1 to 64. run: runs a patch. patch-id: specifies the number of the patch. It ranges from 1 to 200.
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-127
1 System Management
Usage Guidelines
None
Examples
# Activate Eudemon patches.
<Eudemon> system-view [Eudemon] patch active 4
1.5.34 ping
Function
Using the ping command, you can check the availability of IP network connection and host.
Format
ping [ -a X.X.X.X | -c count | -d | -h ttl_value | -i { interface-type interface-number } | ip | -n | p pattern | -q | -r | -s packetsize | -t timeout | -tos tos | -v | ip | -vpn-instance vpn-instancename ] * host
Parameters
-a X.X.X.X: sets the source IP address for sending the ICMP ECHO-REQUEST packet. -c count: indicates the number of ICMP ECHO-REQUEST packet transmission events. It is an integer that ranges from 1 to 4294967295. By default, count is set to 5. -d: sets socket as DEBUG mode. By default, socket is not set in DEBUG mode. -h ttl_value: sets the value of TTL. It is an integer that ranges from 1 to 255. -i: sets the interface for sending ICMP ECHO-REQUEST packets. interface-type: sets the interface type. interface-number: sets the interface number. -n: uses the host parameters directly as IP address without domain name resolution. -p pattern: pattern is padding bytes of ICMP ECHO-REQUEST packet in hexadecimal format, and its value ranges from 0 to FFFFFFFF. For example, -p ff is to pad the packet to ff. By default, pattern starts with 0x01 and ends with 0x09, then repeated. -q: displays no other specific information except statistics. -r: records routes. By default, no routing is recorded. -s packetsize: specifies the length of the ECHO-REQUEST packet (excluding IP and ICMP headers) in bytes, ranging from 20 to 8100. By default, packetsize is set to 56. -t timeout: specifies the time-out in milliseconds for waiting for ECHO-RESPONSE upon completion of sending ECHO-REQUEST, ranging from 0 to 65535. By default, timeout is set to 2000.
1-128 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
-tos tos: specifies the assigned value for sending out the ECHO-REQUEST packets, ranging from 0 to 255. -v: displays the received non-ECHO-RESPONSE packets. By default, non-ECHO-RESPONSE packets are not displayed. By default, the ICMP packets other than ECHO-RESPONSE packet are not displayed. ip: indicates the IP protocol. -vpn-instance vpn-instance-name: sets vpn-instance-name of an MPLS VPN and indicates the VPN attribute (that is, the name of the associated vpn-instance that is set up locally) configured by this Ping command. host: specifies the domain name or the IP address of the destination host. By default, first host is treated as IP address, if it is not an IP address, the system will perform domain name resolution.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
By default, all information (including statistics) is displayed. The ping process is described as follows: the source first sends ICMP ECHO-REQUEST packet to the destination; if the destination network operates normally, the destination host will return ICMP ECHO-REPLY packet to the source host after receiving ICMP ECHO-REQUEST packet. You can use the ping command to test the network connection and line quality, and its output information includes:
l
The destination makes response to each echo request packet as follows: If the source does not receive the response packet within the timeout, the system prompts "Request time out." Otherwise, the system displays bytes of the response packet, sequence number of the packet, TTL, response time, and so on. The final statistics includes the number of sent packets, number of received response packets, percentage of non-response packets, and minimum, maximum, and average values of response time. If the network transmission speed is slower, you can appropriately increase the timeout.
Examples
# Check whether the host with the IP address 202.38.160.244 is reachable.
<Eudemon> ping 202.38.160.244 ping 202.38.160.244 : 56 data bytes , press CTRL-C to break Reply from 202.38.160.244 : bytes=56 sequence=1 ttl=255 time Reply from 202.38.160.244 : bytes=56 sequence=2 ttl=255 time Reply from 202.38.160.244 : bytes=56 sequence=3 ttl=255 time Reply from 202.38.160.244 : bytes=56 sequence=4 ttl=255 time Reply from 202.38.160.244 : bytes=56 sequence=5 ttl=255 time --202.38.160.244 ping statistics-5 packets transmitted 5 packets received
= = = = =
Issue 03 (2009-06-18)
1-129
1 System Management
0% packet loss round-trip min/avg/max = 1/2/3 ms
1.5.35 reboot
Function
Using the reboot command, you can restart a firewall.
Format
reboot
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
The function of this command is equal to the effect when the firewall is repowered on after being powered off; however, when you maintain the firewall remotely, you do not need to restart the firewall locally. Instead, you can restart the firewall remotely. Generally, you are not recommended to use this command, because this command leads to the short-time breakdown of the network. In addition, when you restart the firewall, ensure that all configuration files of the firewall are saved.
Examples
# Restart a firewall.
<Eudemon> reboot
Format
reset logbuffer
1-130 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Clear the information in the log buffer.
<Eudemon> reset logbuffer
Format
reset saved-configuration
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
This command should be executed with caution. Use it under the guidance of technical personnel. It is generally used in the following cases:
l
After the Eudemon software is updated, the configuration file in the storage device may not match the new version software.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-131
Issue 03 (2009-06-18)
1 System Management
l
If a used Eudemon is deployed in a new application environment, the original configuration file is unable to meet the requirements of the new environment. You need to reconfigure it.
Examples
# Delete the configuration files saved in the storage device.
<Eudemon> reset saved-configuration This will erase the configuration in the device. The configurations will be erased to reconfigure! Are you sure?[Y/N]y
Format
reset trapbuffer
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Clear the information in the alarm buffer.
<Eudemon> reset trapbuffer
1.5.39 save
Function
Using the save command, you can save the current configuration to the storage device.
1-132 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Format
save [ file-name ]
Parameters
file-name: specifies the name of the configuration file. It is a string of 5 to 56 characters.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
When a set of configuration is finished and the expected functions have been achieved, the current configuration file should be saved in the storage device.
Examples
# Save the current configuration to the default storage device.
<Eudemon> save The current configuration will be written to the device. Caution: The executing "save" command on firewall can affects the quality of some types of traffic for the time of configuration saving. Are you sure?[Y/N]y Now saving the current configuration to the device..................... .............. Save the current configuration to the device successfully.
Format
service modem-callback undo service modem-callback
Parameters
None
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-133
1 System Management
Default Level
3: Management level
Usage Guidelines
By default, Callback is disabled.
Examples
# Enable Callback.
<Eudemon> system-view [Eudemon] service modem-callback
Format
session log enable acl-number acl-number { inbound | outbound } undo session log enable { inbound | outbound }
Parameters
acl-number: specifies an ACL number in a range of 2000 to 3999.
Views
Inter-zone view
Default Level
2: Configuration level
Usage Guidelines
If acl-number is set, enable or disable the log switch for the matched ACL. By default, the system does not record inter-zone traffic logs. The command can be used in the inter-area view of VPN instances.
Examples
# Enable recording of the traffic log of ACL 3100 between zones Trust and Untrust.
1-134 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
<Eudemon> system-view [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] session log enable acl-number 3100 outbound
Format
startup system-software system-file
Parameters
system-file: specifies the file name of the system software. It is a string of 5 to 56 characters.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
The system software must use .bin as its extension name and must be saved in the root directory of the storage device. By default, the system software is saved in the root directory of the flash.
Examples
# Configure the system software used in the next startup.
<Eudemon> startup system-software system.bin
Format
startup saved-configuration configuration-file
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-135
1 System Management
Parameters
configuration-file: specifies the name of the configuration file. It is a string of 5 to 56 characters.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
The configuration file must use .cfg or .zip as its extension name and must be saved in the root directory of the storage device. By default, the configuration file is saved in the root directory of the flash.
Examples
# Configure the configuration file used in the next startup.
<Eudemon> startup saved-configuration vrpcfg.zip
Format
terminal debugging undo terminal debugging
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, displaying the terminal debugging information is disabled.
1-136 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Examples
# Enable displaying the terminal debugging information.
<Eudemon> terminal debugging
Format
terminal logging undo terminal logging
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the terminal log information is enabled.
Examples
# Disable the terminal log information.
<Eudemon> undo terminal logging
Format
terminal monitor
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-137
1 System Management
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the terminal monitor information is disabled but the console monitor is enabled. The command only affects the current terminal inputting the commands.
Examples
# Disable the terminal monitor function.
<Eudemon> undo terminal monitor
Format
terminal trapping undo terminal trapping
Parameters
None
Views
User view
Default Level
1: Monitoring level
1-138 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
By default, displaying the terminal alarm information is enabled.
Examples
# Disable displaying the terminal alarm information.
<Eudemon> undo terminal trapping
1.5.48 tracert
Function
Using the tracert command, you can test the gateways that datagram pass along from sending host to the destination. This command is mainly used to check whether the network connection is reachable and locate failures that have occurred in the network.
Format
tracert [ -a X.X.X.X | -f first_TTL | -m max_TTL | -p port | -q nqueries | -w timeout | -vpninstance vpn-instance-name ] * host
Parameters
-a: specify the source address of the packet configured using the tracert command. By default, No -a and vpn-instance parameters are configured. X.X.X.X specifies IP address of tracert packet to be configured in the form X.X.X.X, and it must be the address of a local interface. -f: test whether -f switch is proper. first_TTL is used to specify an initial TTL, and its value ranges from 0 to maximum TTL. By default, first_TTL is set to 1. -m: test whether m switch is proper. max_TTL is used to specify a maximum TTL, and its value must be greater than the initial TTL. By default, max_TTL is set to 30. -p: test whether -p switch is proper. port is the port number of a destination host, and its value must be an integer. Generally, you do not need to change the value. By default, port is set to 33434. -q: test whether -q switch is proper. nqueries is the number of detection data packets, and its value must be an integer greater than 0. By default, nqueries is set to 3. -w: test whether -w switch is proper. timeout is used to specify the timeout of IP packet, and its value must be an integer in the range of 0 to 65535 in milliseconds. By default, timeout is set to 5000ms, that is 5s. -vpn-instance vpn-instance-name: sets vpn-instance-name of an MPLS VPN and indicates the VPN attribute (that is, the name of the associated vpn-instance that is set up locally) configured for this Tracert command. host: specifies the domain name or the IP address of the destination host.
Views
All views
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-139
1 System Management
Default Level
1: Monitoring level
Usage Guidelines
The tracert process is described as follows: the source first sends a packet with TTL as 1, so hop 1 sends back an ICMP error message to specify that the packet is not sent (TTL times out), then the packet is resent with TTL as 2, likewise hop 2 returns TTL timeout, and this process will go on until the packet reaches the destination. The process is to record the source address of each ICMP TTL timeout message, so as to provide the routes through which an IP packet passes on the way to the destination. The ping command is used to detect network failures while the tracert command is used to locate network failures. The output of the tracert command also contains the IP addresses of all gateways the packet passes when being sent to the destination. If one of gateways times out, " * * * " is displayed.
Examples
# Display the gateways along the path between the local hosts to 18.26.0.115.
<Eudemon> tracert 18.26.0.115 tracert to allspice.lcs.mit.edu (18.26.0.115), 30 hops max 1 helios.ee.lbl.gov (128.3.112.1) 0 ms 0 ms 0 ms 2 lilac-dmc.Berkeley.EDU (128.32.216.1) 19 ms 19 ms 19 ms 3 lilac-dmc.Berkeley.EDU (128.32.216.1) 39 ms 19 ms 19 ms 4 ccngw-ner-cc.Berkeley.EDU (128.32.136.23) 19 ms 39 ms 39 ms 5 ccn-nerif22.Berkeley.EDU (128.32.168.22) 20 ms 39 ms 39 ms 6 128.32.197.4 (128.32.197.4) 59 ms 119 ms 39 ms 7 131.119.2.5 (131.119.2.5) 59 ms 59 ms 39 ms 8 129.140.70.13 (129.140.70.13) 80 ms 79 ms 99 ms 9 129.140.71.6 (129.140.71.6) 139 ms 139 ms 159 ms 10 129.140.81.7 (129.140.81.7) 199 ms 180 ms 300 ms 11 129.140.72.17 (129.140.72.17) 300 ms 239 ms 239 ms 12 * * * 13 128.121.54.72 (128.121.54.72) 259 ms 499 ms 279 ms 14 * * * 15 * * * 16 * * * 17 * * * 18 ALLSPICE.LCS.MIT.EDU (18.26.0.115) 339 ms 279 ms 279 ms
1 System Management
Function
Using the debugging ssl command, you can enable the SSL debugging function. Using the undo debugging ssl command, you can disable the SSL debugging function.
Format
debugging ssl { all | event | handshake | warnning } undo debugging ssl { all | event | handshake | warnning }
Parameters
all: indicates all the SSL debugging functions. event: indicates the SSL event debugging functions. handshake: indicates the SSL handshake debugging functions. warning: indicates the SSL alarm debugging functions.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
By default, the SSL debugging function is disabled.
Examples
# Enable all the debugging functions of the SSL.
<Eudemon> debugging ssl all
Format
debugging web-manager { all | config-process | event | info-process } undo debugging web-manager { all | config-process | event | info-process }
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-141
1 System Management
Parameters
all: indicates all the debugging functions of the Web servers. config-process: indicates the configuration debugging function of the Web server. event: indicates the event debugging function of the Web server. info-process: indicates the query debugging function of the Web server.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
By default, the debugging function of the Web server is disabled.
Examples
# Enable all the debugging functions of the Web server.
<Eudemon> debugging web-manager all
Format
display web-manager { configuration | statistics | users }
Parameters
configuration: displays the basic configuration of the Web server. statistics: displays the statistics information of the Web server. users: displays the online user information of the Web server.
Views
All views
Default Level
1: Monitoring level
1-142 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
None
Examples
# Display the basic configuration information of the Web server.
<Eudemon> display web-manager configuration Httpd server is enable. rootdir is FLASH:/web/. default file name is /home.html. HTTP port is 80. Httpd security server is enable. rootdir is FLASH:/web/. default file name is /home.html. HTTP port is 443.
1.6.4 web-manager
Function
Using the web-manager command, you can enable the Web server function.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-143
1 System Management
Using the undo web-manager command, you can disable the Web server function.
Format
web-manager [ security ] enable [ port port-number ] undo web-manager [ security ] enable [ port port-number ]
Parameters
security: indicates the type of interactive packets exchanged between the Web browser and the Web server.
l
The key word security is not selected. The interactive packets between the Web browser and the Web server are HTTP packets. The default port number is 80.
The key word security is selected. The interactive packets between the Web browser and the Web server are HTTPS packets. The default port number is 443.
port-number: specifies the number of the listening port of the Web management server. It is an integer that ranges from 1025 to 50000.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enable the Web server function.
<Eudemon> system-view [Eudemon] web-manager security enable
1 System Management
1.7.4 display ntp-service trace 1.7.5 ntp-service access 1.7.6 ntp-service authentication enable 1.7.7 ntp-service authentication-keyid 1.7.8 ntp-service broadcast-client 1.7.9 ntp-service broadcast-server 1.7.10 ntp-service in-interface disable 1.7.11 ntp-service max-dynamic-sessions 1.7.12 ntp-service multicast-client 1.7.13 ntp-service multicast-server 1.7.14 ntp-service refclock-master 1.7.15 ntp-service reliable authentication-keyid 1.7.16 ntp-service source-interface 1.7.17 ntp-service unicast-peer 1.7.18 ntp-service unicast-server
Format
debugging ntp-service { access | adjustment | authentication | event | filter | packet | parameter | refclock | selection | synchronization | validity | all } undo debugging ntp-service { access | adjustment | authentication | event | filter | packet | parameter | refclock | selection | synchronization | validity | all }
Parameters
access: refers to the NTP access debugging switch. adjustment: refers to the NTP clock adjustment debugging switch. all: refers to all NTP debugging switches. authentication: refers to the NTP identity authentication debugging switch. event: refers to the NTP event debugging switch. filter: refers to the NTP filter debugging switch.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-145
1 System Management
packet: refers to the NTP packet debugging switch. parameter: refers to the NTP clock parameter debugging switch. refclock: refers to the NTP reference clock debugging switch. selection: refers to the NTP clock selection debugging switch. synchronization: refers to the NTP clock synchronization debugging switch. validity: refers to the NTP validity debugging switch.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, all debugging switches are disabled.
Examples
# Enable NTP access debugging switch.
<Eudemon> debugging ntp-service access
Format
display ntp-service sessions [ verbose ]
Parameters
verbose: displays the details of the NTP session. If verbose is not specified, the summary NTP session is displayed.
Views
All views
Default Level
1: Monitoring level
1-146 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Usage Guidelines
None
Examples
# Display the status of all the NTP sessions maintained by the local NTP.
<Eudemon> display ntp-service sessions source refid st now poll reach delay offset dis ******************************************************************************** [12345] 127.127.1.0 LOCAL(0) 7 26 64 1 0.0 0.0 15.6 [5] 10.110.101.20 0.0.0.0 16 64 0 0.0 0.0 0.0 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured
Table 1-7 shows the description of the display ntp-service sessions command output. Table 1-7 Description of the display ntp-service sessions command output Field source refid Description Clock source address. When the local system has synchronized with remote NTP server or a clock source, specify the address of remote server or the identifier of clock source. When this server in a VPN, the command display VPN instance name. The NTP stratum of local system. The offset relative to superior clock source. The system delay of local to master reference clock source. The system offset of local relative to master reference clock source.
Format
display ntp-service status
Parameters
None
Views
All views
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-147
1 System Management
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the status of NTP.
<Eudemon> display ntp-service status clock status: unsynchronized clock stratum: 16 reference clock ID: none nominal frequency: 60.2384 Hz actual frequency: 60.2384 Hz clock precision: 2^18 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 0.00 ms peer dispersion: 0.00 ms reference time: 16:58:22.371 UTC Jan 8 2009(CD10AF2E.5F15F88F)
Table 1-8 shows the description of the display ntp-service status command output. Table 1-8 Description of the display ntp-service status command output Item clock status synchronized unsynchronized clock stratum reference clock ID Description Indicates the status of the local system clock. Indicates that the local system is synchronized with another NTP server or a reference clock. Indicates that the local system is not synchronized with any NTP server. Indicates the stratum of the local system clock. If the local system clock is synchronized with another remote NTP server or a reference clock, this field displays the identifier of the remote NTP server or reference clock. Otherwise, none is displayed. Indicates the nominal frequency of the local system clock. Indicates the actual frequency of the local system clock. Indicates the precision of the local system clock. Offset between the local system clock to the NTP server. Total delay between the local system clock to the primary reference clock. Dispersion between the local system clock to the primary reference clock. Dispersion between the local system clock and the remote NTP peer.
Issue 03 (2009-06-18)
nominal frequency actual frequency clock precision clock offset root delay root dispersion peer dispersion
1-148
1 System Management
Format
display ntp-service trace
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
This command is used to display the summary of each NTP server when you trace the reference clock source from the local device along the time synchronous NTP server chain.
Examples
# Display the summary of each NTP time server when you trace the reference clock source from the local device.
<Eudemon> display ntp-service trace server4: stratum 4, offset 0.0019529, server3: stratum 3, offset 0.0124263, server2: stratum 2, offset 0.0019298, server1: stratum 1, offset 0.0019298, synch synch synch synch distance distance distance distance 0.144135 0.115784 0.011993 0.011993 refid
'GPS Reciever'
The above information shows the synchronization chain of server 4. Server 4 is synchronized to server 3, server 3 is synchronized to server 2, so on and so forth. Finally, server 1 is synchronized to GPS Receiver.
1 System Management
Function
Using the ntp-service access command, you can set the access control authority of the local NTP. Using the undo ntp-service access command, you can cancel the configured access control authority.
Format
ntp-service access { query | synchronization | server | peer } acl-number undo ntp-service access { query | synchronization | server | peer }
Parameters
query: sets the maximum access limitation. Control query can be performed only on the local NTP service. synchronization: enables the server to access. Only time request can be performed on the local NTP service. server: enables the server access and query. Both time requests and control query can be performed on the local NTP service, but the local clock cannot be synchronized to the remote server. peer: sets the fully access authority. Both time request and control query can be performed on the local NTP service, and the local clock can be synchronized to the remote server. acl-number: specifies the IP address access list number. It is an integer that ranges from 2000 to 2999.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, no access authority is set. Setting the authority to access NTP services of the local device is a security measure to the least extent. A securer method is to perform ID authentication. When receiving an access query, the NTP server matches it with peer, server, synchronization and query orderly, that is, from the minimum access restriction to the maximum access restriction.
Examples
# Enable the peer in ACL 2076 to perform time request, query control and time synchronization on the local device.
<Eudemon> system-view [Eudemon] ntp-service access peer 2076
1-150
Issue 03 (2009-06-18)
1 System Management
# Enable the peer in ACL 2028 to perform time request, query control on the local device.
[Eudemon] ntp-service access server 2028
Format
ntp-service authentication enable undo ntp-service authentication enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, no identity authentication is disabled.
Examples
# Enable identity authentication for NTP.
<Eudemon> system-view [Eudemon] ntp-service authentication enable
1 System Management
Format
ntp-service authentication-keyid key-id authentication-mode md5 value undo ntp-service authentication-keyid key-id
Parameters
key-id: specifies the key number in the range of 1 to 4294967295. authentication-mode md5 value: indicates the MD5 authentication password. It is a string of 1 to 32 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, no authentication key is set. NTP supports only the MD5 authentication mode.
Examples
# Set MD5 authentication key. The key ID number is 10 and the key is BetterKey.
<Eudemon> system-view [Eudemon] ntp-service authentication-keyid 10 authentication-mode md5 BetterKey
Format
ntp-service broadcast-client undo ntp-service broadcast-client
Parameters
None
1-152 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the NTP broadcast client mode is not configured. The local device automatically runs the broadcast-client mode once being specified to receive the NTP broadcast messages on the current interface. The local device senses the broadcast packets from the server. To estimate the network delay, the local device enables a temporary client/server model to exchange messages with a remote server after receiving the first broadcast packet. Then, the local device works in client mode, and continues to sense incoming broadcast packets to synchronize the local clock.
Examples
# Enable GigabitEthernet 0/0/1 to receive NTP broadcast messages.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/1 [Eudemon-GigabitEthernet0/0/1] ntp-service broadcast-client
Format
ntp-service broadcast-server [ authentication-keyid key-id | version number ] * undo ntp-service broadcast-server
Parameters
authentication-keyid key-id: specifies the authentication key ID number used to transmit message to broadcast clients. It is an integer that ranges from 0 to 4294967295. version number: defines the NTP version number. It is an integer that ranges from 1 to 3. By default, it is 3.
Views
Interface view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-153
1 System Management
Default Level
2: Configuration level
Usage Guidelines
By default, the broadcast service is not configured. Once being specified to send NTP broadcast packets from the current interface, the local device auto runs as the broadcast server to transmit broadcast messages periodically to the broadcast clients.
Examples
# Enable GigabitEthernet 0/0/0 to send NTP broadcast packets, with the authentication key number as 4 and the NTP version as 3.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet 0/0/0] ntp-service broadcast-server authentication-key 4 version 3
Format
ntp-service in-interface disable undo ntp-service in-interface disable
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the interface is enabled to receive the NTP message.
1-154 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Examples
# Disable GigabitEthernet 0/0/0 from receiving the NTP message.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet 0/0/0] ntp-service in-interface disable
Format
ntp-service max-dynamic-sessions number undo ntp-service max-dynamic-sessions
Parameters
number: specifies the number of dynamic NTP sessions allowed to be set up. It is an integer that ranges from 0 to 100.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, 100 sessions are allowed to be set up.
Examples
# Set the maximum NTP dynamic sessions allowed to be set up to 50.
<Eudemon> system-view [Eudemon] ntp-service max-dynamic-sessions 50
1 System Management
Using the undo ntp-service multicast-client command, you can cancel configuring the NTP multicast client mode.
Format
ntp-service multicast-client [ X.X.X.X ] undo ntp-service multicast-client [ X.X.X.X ]
Parameters
X.X.X.X: specifies the multicast IP address, which is a Class D address. By default, it is 224.0.1.1.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the multicast client service is disabled. Once being specified to receive NTP multicast messages on the current the interface, the local device auto runs the multicast-client mode. After receiving the first multicast packet, the local device enables a temporary client/server view to exchange messages with the remote server in order to estimate network delay, then it enters client view to continue to intercept multicast messages, finally to synchronize the local clock based on the multicast messages reached.
Examples
# Configure GigabitEthernet 0/0/0 to receive NTP multicast messages. The multicast address of the multicast packets is 244.0.1.1.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet 0/0/0] ntp-service multicast-client 224.0.1.1
1 System Management
Format
ntp-service multicast-server [ X.X.X.X ] [ authentication-keyid key-id | ttl ttl-number | version number ] * undo ntp-service multicast-server [ X.X.X.X ]
Parameters
X.X.X.X: specifies the multicast IP address, which is a Class D address. By default, it is 224.0.1.1. authentication-keyid key-id: specifies the authentication key ID number used when sending messages to the multicast clients. It is an integer that ranges from 0 to 4294967295. ttl ttl-number: specifies the life span of the multicast packet. It is an integer that ranges from 1 to 255. version number: specifies the NTP version number. It is an integer that ranges from 1 to 3. By default, it is 3.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, no multicast service is configured, and IP address is set to 224.0.1.1 and version number is set to 3. Specify a local interface on the local device to send NTP multicast messages. The local device runs in multicast-server mode as a multicast-server, periodically sending multicast messages to the multicast client.
Examples
# Configure GigabitEthernet 0/0/0 to send NTP multicast messages. The multicast address is 244.0.1.2, the authentication key number is 4 and the NTP version number is 1.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet 0/0/0] ntp-service multicast-server 224.0.1.2 authentication-keyid 4 version 1
1 System Management
Format
ntp-service refclock-master [ X.X.X.X ] [ stratum ] undo ntp-service refclock-master [ X.X.X.X ]
Parameters
X.X.X.X: specifies the IP address of the local clock 127.127.t.u. t ranges from 0 to 37. At present, it is 1, indicating the local reference clock; u ranges from 0 to 3, indicating the NTP process number. stratum: specifies the stratum of the NTP master clock. It is an integer that ranges from 1 to 15.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, X.X.X.X is not specified and stratum is set to 1. For example, set external reference clock or local clock as NTP master clock to provide synchronous time for other devices. Of these parameters, X.X.X.X (IP address of reference clock) is set to 127.127.t.u; if the address is not specified, the local clock is set as NTP master clock by default. In addition, you can specify the stratum of NTP master clock.
Examples
# Set the local clock to be the NTP master clock, the stratum of which set to 3.
<Eudemon> system-view [Eudemon] ntp-service refclock-master 3
Format
ntp-service reliable authentication-keyid key-id undo ntp-service reliable authentication-keyid key-id
1-158 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
key-id: specifies the key number. It is an integer ranging from 1 to 4294967295.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, no authentication key is specified to be reliable. If the identity authentication is enabled, this command is used to specify that one or more keys are reliable. That is, the client can only synchronize the server that provides the reliable key. The client cannot synchronize the server that provides reliable keys.
Examples
# Enable the identity authentication in NTP and adopt the MD5 encryption mode with key number as 37 and the key as BetterKey. Specify the key to be reliable.
<Eudemon> [Eudemon] [Eudemon] [Eudemon] system-view ntp-service authentication enable ntp-service authentication-keyid 37 authentication-mode md5 BetterKey ntp-service reliable authentication-keyid 37
Format
ntp-service source-interface interface-type interface-number undo ntp-service source-interface
Parameters
interface-type: interface type. A combination of interface-type and interface-number can determine an interface. interface-number: interface number. A combination of interface-type and interface-number can determine an interface.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-159
1 System Management
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Source address is determined by the outbound interface. For example, specify the local to send all NTP messages, and source IP address in message packets uses a specific IP address which is extracted from the specified interface. When you do not want the IP addresses of other interfaces on the local device as the destination address responding to messages, you can use this command to specify a specific interface to send all NTP messages.
Examples
# Specify GigabitEthernet 0/0/0 as the source interface to send all the NTP messages.
<Eudemon> system-view [Eudemon] ntp-service source-interface GigabitEthernet 0/0/0
Format
ntp-service unicast-peer X.X.X.X [ version number | authentication-keyid keyid | sourceinterface interface-type interface-number | priority ] * undo ntp-service unicast-peer X.X.X.X
Parameters
X.X.X.X: specifies the IP address of the remote server. version number: defines the NTP version number. It is in the range of 1 to 3. authentication-keyid keyid: specifies the authentication key number used when transmitting messages to the remote server. It is an integer that ranges from 0 to 4294967295. source-interface: specifies the interface name. interface-type: interface type. A combination of interface-type and interface-number can determine an interface.
1-160 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
interface-number: interface number. A combination of interface-type and interface-number can determine an interface. priority: specifies the remote server as the preferred one.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, no authentication-keyid and priority are configured, and number is set to 3. This command is used to set the remote server with a specified X.X.X.X as the peer of the local device. The local device runs in the symmetric active mode. In this way, the local device can be synchronized to the remote server and the remote server can also be synchronized to the local server.
Examples
# Configure the peer 128.108.22.44 to provide the synchronizing time for the local device. The local device can also provide synchronizing time for the peer. The version number is 3. The IP address of the NTP packets is the address of GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] ntp-service unicast-peer 128.108.22.44 version 3 source-interface GigabitEthernet 0/0/0
Format
ntp-service unicast-server X.X.X.X [ version number | authentication-keyid keyid | sourceinterface interface-type interface-number | priority ] * undo ntp-service unicast-server X.X.X.X
Parameters
X.X.X.X: specifies the IP address of the remote server. version number: defines the NTP version number. It is an integer that ranges from 1 to 3. authentication-keyid keyid: specifies the authentication key number used when messages are transmitted to the remote server. It is an integer that ranges from 0 to 4294967295.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-161
1 System Management
source-interface: specifies the interface name. interface-type: interface type. A combination of interface-type and interface-number can determine an interface. interface-number: interface number. A combination of interface-type and interface-number can determine an interface. priority: specifies the remote server as the preferred one.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the version number is 3. The identity authentication is enabled and the server is not the preferred one. This command is used to set the remote server with a specified X.X.X.X as the local time server. In this way, the local client device can be synchronized to the remote server and the remote server cannot be synchronized to the local client device.
Examples
# Configure the server 128.108.22.44 to provide the synchronizing time for the local device. The NTP version number is 3.
<Eudemon> system-view [Eudemon] ntp-service unicast-server 128.108.22.44 version 3
1 System Management
1.8.12 snmp-agent group 1.8.13 snmp-agent local-engineid 1.8.14 snmp-agent mib-view 1.8.15 snmp-agent packet max-size 1.8.16 snmp-agent sys-info 1.8.17 snmp-agent target-host 1.8.18 snmp-agent trap enable 1.8.19 snmp-agent trap life 1.8.20 snmp-agent trap queue-size 1.8.21 snmp-agent trap source 1.8.22 snmp-agent usm-user
Format
debugging snmp-agent { header | packet | process | trap } undo debugging snmp-agent { header | packet | process | trap }
Parameters
header: enables data packet header debugging. packet: enables packet debugging. process: enables SNMP packet process debugging. trap: enables Trap data packet debugging.
Views
User view
Default Level
1: Monitoring level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-163
1 System Management
Usage Guidelines
By default, SNMP Agent debugging switch is disabled.
Examples
# Enable SNMP Agent data packet header debugging switch.
<Eudemon> debugging snmp-agent header
Format
display snmp-agent { local-engineid | remote-engineid }
Parameters
local-engineid: indicates the engine ID of the local SNMP entity. remote-engineid: indicates the engine ID of the remote SNMP agent.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The SNMP engine ID is the only identification of the SNMP management, and it uniquely identifies an SNMP entity in one management domain. The SNMP engine ID is an important component of the SNMP entity, completing the functions of SNMP messages such as message dispatching, message processing, security authentication and access control.
Examples
# Display the engine ID of the current device.
<Eudemon> display snmp-agent local-engineid SNMP local EngineID: 000007DB7F0000013859
Of the above information, SNMP local EngineID indicates engine ID of the local SNMP entity.
1 System Management
Function
Using the display snmp-agent community command, you can display the current configuration of SNMPv1 or SNMPv2c.
Format
display snmp-agent community [ read | write ]
Parameters
read: displays the community name information with the read-only authority. write: displays the community name information with the authority of read and write.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the current community name.
<Eudemon> display snmp-agent community
Format
display snmp-agent group [ group-name ]
Parameters
group-name: specifies the SNMP group to be displayed, and its value ranges from 1 to 32 bytes.
Views
All views
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-165
1 System Management
Default Level
1: Monitoring level
Usage Guidelines
Use this command to check the agent group when the managed entity is configured with SNMPv3 group. When no parameter is specified, the output of this command contains group names, security mode and storage modes.
Examples
# Display the SNMP group name and the security mode.
<Eudemon> display snmp-agent group Group name: group_test Security model: v3 AuthnoPriv Readview: ViewDefault Writeview: <no specified> Notifyview :<no specified> Storage-type: nonVolatile
Table 1-9 shows the description of the display snmp-agent group command output. Table 1-9 Description of the display snmp-agent group command output Item Group name Security model Readview Writeview Notifyview Storage-type Description SNMP group name. The security model of the group. Name of read-only MIB view corresponding to the group. Name of writable MIB view corresponding to the group. Name of notifying MIB view corresponding to the group. Storage type.
Format
display snmp-agent mib-view [ exclude | include | viewname view-name ]
Parameters
exclude: excludes the attributes of the set SNMP MIB view. include: includes the attributes of the set SNMP MIB view.
1-166 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the current MIB view.
<Eudemon> display snmp-agent mib-view View name:ViewDefault MIB Subtree:internet Subtree mask: Storage-type: nonVolatile View Type:included View status:active
Table 1-10 shows the description of the display snmp-agent mib-view command output. Table 1-10 Description of the display snmp-agent mib-view command output Item View name MIB Subtree Subtree mask Storage-type View Type View status Description View name MIB sub tree MIB subtree mask, not currently supported Storage type MIB view type Table line status
NOTE
When the SNMP Agent is disabled, "Snmp Agent disabled" is displayed if this display commands are executed.
1 System Management
Format
display snmp-agent statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the statistics of SNMP packets.
<Eudemon> display snmp-agent statistics 0 Messages delivered to the SNMP entity 0 Messages which were for an unsupported version 0 Messages which used a SNMP community name not known 0 Messages which represented an illegal operation for the community supplied 0 ASN.1 or BER errors in the process of decoding 0 Messages passed from the SNMP entity 0 SNMP PDUs which had badValue error-status 0 SNMP PDUs which had genErr error-status 0 SNMP PDUs which had noSuchName error-status 0 SNMP PDUs which had tooBig error-status 0 MIB objects retrieved successfully 0 MIB objects altered successfully 0 GetRequest-PDU accepted and processed 0 GetNextRequest-PDU accepted and processed 0 GetResponse-PDU accepted and processed 0 SetRequest-PDU accepted and processed 0 Trap-PDU accepted and processed
Table 1-11 shows the description of the display snmp-agent statistics command output. Table 1-11 Description of the display snmp-agent statistics command output Item Messages delivered to the SNMP entity Messages which were for an unsupported version Messages which used a SNMP community name not known
1-168
Description Total number of input SNMP messages Number of messages with version errors Number of messages with community name errors
Issue 03 (2009-06-18)
1 System Management
Item Messages which represented an illegal operation for the community supplied ASN.1 or BER errors in the process of decoding Messages passed from the SNMP entity SNMP PDUs which had a badValue errorstatus SNMP PDUs which had a genErr error-status SNMP PDUs which had a noSuchName error-status SNMP PDUs which had a tooBig error-status MIB objects retrieved successfully MIB objects altered successfully GetRequest-PDU accepted and processed GetNextRequest-PDU accepted and processed GetResponse-PDU accepted and processed SetRequest-PDU accepted and processed Trap-PDU accepted and processed
Description Number of messages with authority errors corresponding to community name Number of SNMP messages with encoding errors Total number of output SNMP messages Number of SNMP messages with bad values Number of SNMP messages with general errors Number of SNMP messages with requests of non-existing MIB object Number of SNMP messages with Too_big errors Number of variables requested by NMS Number of variables set by NMS Number of received Get-request messages Number of received GetNext-request messages Number of received Get-response messages Number of received Set-request messages Number of sent Trap messages
NOTE
When the SNMP Agent is disabled, "Snmp Agent disabled" is displayed if this display commands are executed.
Format
display snmp-agent sys-info [ contact | location | version ] *
Issue 03 (2009-06-18)
1-169
1 System Management
Parameters
contact: displays the contact information of the current SNMP device. location: displays the physical location information of the current SNMP device. version: displays the SNMP version running in the current SNMP agent.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the system information of the SNMP agent.
<Eudemon> display snmp-agent sys-info The contact person for this managed node: Beijing, Huawei Technologies co.,Ltd. The physical location of this node: Beijing China SNMP version running in the system: SNMPv1 SNMPv3
Format
display snmp-agent usm-user [ engineid engine-id | username user-name | group groupname ] *
Parameters
engineid engine-id: displays the information of the SNMPv3 with a specified engine ID. The engine ID is a string of 10 to 64 characters. username user-name: displays the information of the specified SNMPv3 user. The user name is a string of 1 to 32 characters. group group-name: displays the user information of the specified group. The group name is in the range of 1 to 32 characters.
1-170 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
An SNMP user is the remote user who executes SNMP management operation. The snmp-agent usm-user command is used to specify the SNMP user.
Examples
<Eudemon> display snmp-agent usm-user User name: user1 Engine ID: 000007DB7F00000100002F19 active User name: user2 Engine ID: 000007DB7F00000100002F19 active User name: user3 Engine ID: 000007DB7F00000100002F19 active
Format
enable snmp trap updown undo enable snmp trap updown
Parameters
None
Views
GE interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the agent is enabled to send LinkUp Trap or LinkDown Trap message to the NMS when the interface changes Up or Down.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-171
1 System Management
After this command is configured, if the Layer 3 physical interface is not configured with an IP address, the firewall can send a LinkUp Trap message when the network cable or fiber is plugged out or a LinkDown Trap message when the network cable or fiber is inserted. In this way, the NMS can monitor link status based on Trap messages sent by the interface. However, the firewall does not send Trap messages when interface protocol status changes. If this function is disabled, whether to send Trap messages when the interface physical status changes Up or Down depends on protocol status of the interface. You also must run the snmp-agent trap enable command to enable the Trap function on the firewall and the snmp-agent target-host command to configure the destination host so that the NMS can receive Trap messages.
Examples
# Enable GE 0/0/1 to send a LinkUp Trap or LinkDown Trap message to the NMS when the interface changes Up or Down.
<Eudemon> system-view [Eudemon] interface gigabitethernet 0/0/1 [Eudemon-GigabitEthernet0/0/1] enable snmp trap updown
1.8.10 snmp-agent
Function
Using the snmp-agent command, you can enable the SNMP Agent and specify the SNMP configuration information. Using the undo snmp-agent command, you can disable SNMP Agent.
Format
snmp-agent undo snmp-agent
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the SNMP Agent is disabled. The snmp-agent command can be used to enable SNMP Agent, and any configuration commands of snmp-agent can also enable SNMP Agent.
1-172 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
When SNMP Agent is not enabled, configuring the undo snmp-agent command is invalid. After SNMP Agent is enabled, you can use the undo snmp-agent command to disable SNMP Agent.
Examples
# Disable the running SNMP agent.
<Eudemon> system-view [Eudemon] undo snmp-agent
Format
snmp-agent community { read | write } community-name [ mib-view view-name | acl aclnumber ] * undo snmp-agent community community-name
Parameters
read: indicates that the community name has the read-only authority in the specified view. write: indicates that the community name has the read and write authority in the specified view. community-name: specifies the character string of community name. The value is in the range of 1 to 32 characters. mib-view view-name: sets the MIB view names that the community name can have access to. The value is in the range of 1 to 32 characters. acl acl-number: specifies the number of the ACL corresponding to the community name. It is an integer that ranges from 2000 to 2999.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-173
1 System Management
Examples
# Set the community name as comaccess and allow read-only access using this community name.
<Eudemon> system-view [Eudemon] snmp-agent community read comaccess
# Set the community name as mgr and allow read and write access.
[Eudemon] snmp-agent community write mgr
Format
snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] undo snmp-agent group { v1 | v2c } group-name snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ writeview write-view ] [ notify-view notify-view ] [ acl acl-number ] undo snmp-agent group v3 group-name [ authentication | privacy ]
Parameters
v1: specifies the V1 security mode the user uses. v2c: specifies the V2c security mode the user uses. v3: specifies the V3 security mode the user uses. group-name: specifies the group name. The value is in the range of 1 to 32 bytes. authentication: authenticates but not encrypts the packet. privacy: authenticates and encrypts the packet. read read-view: specifies the name of the read-only view. The value is in the range of 1 to 32 bytes. write write-view: specifies the name of the read and write view. The value is in the range of 1 to 32 bytes. notify notify-view: specifies the name of the notify view. The value is in the range of 1 to 32 bytes.
1-174 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
acl acl-number: specifies the number of the standard access list. It is an integer that ranges from 2000 to 2999.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the snmp-agent group v3 group-name command is not configured with authentication and encryption methods.
Examples
# Create an SNMP group known as Johngroup.
<Eudemon> system-view [Eudemon] snmp-agent group v3 Johngroup
Format
snmp-agent local-engineid engine-id undo snmp-agent local-engineid
Parameters
engine-id: specifies the character string of engine ID. It must be a hexadecimal number in the range of 10 to 64.
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-175
1 System Management
Usage Guidelines
By default, the Eudemon adopts an interior algorithm to generate an engine ID which is in the format of enterprise number + device information. The device information can be IP address, MAC address or self-defined hexadecimal numeric string.
Examples
# Configure the name of the local device as 12345A4B1C.
<Eudemon> system-view [Eudemon] snmp-agent local-engineid 12345A4B1C
Format
snmp-agent mib-view { included | excluded } view-name oid-tree undo snmp-agent mib-view view-name
Parameters
view-name: specifies the name of the view. It is a string of 1 to 32 characters. oid-tree: specifies the Object Identifier (OID) for MIB sub-tree, which can be a character string of the variable OID or a character string of variable name. For example, it can be a string such as 1.4.5.3.1 or system and it can contain the wildcard *, for example, 1.4.5.*.*.1. The value is in the range of 1 to 255 characters. included: includes the MIB sub-tree. excluded: excludes the MIB sub-tree.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the view name is ViewDefault and the OID is 1.3.6.1. Currently, this command supports not only the input of the character string of the variable OID as a parameter but also the input of the node name as a parameter.
1-176 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Examples
# Create a view that includes all MIB-II objects.
<Eudemon> system-view [Eudemon] snmp-agent mib-view included mib2 1.3.6.1
Format
snmp-agent packet max-size max-size undo snmp-agent packet max-size
Parameters
max-size: specifies the maximum value of SNMP message packets received by or sent from Agent in bytes, which ranges from 484 to 17940. By default, the value is set to 1500.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the maximum SNMP packet that the SNMP agent receives or sends to 1042 bytes.
<Eudemon> system-view [Eudemon] snmp-agent packet max-size 1042
1 System Management
Using the undo snmp-agent sys-info command, you can cancel the current setting.
Format
snmp-agent sys-info { contact sys-contact | location sys-location | version { { v1 | v2c | v3 } * | all } } undo snmp-agent sys-info { contact | location | version { { v1 | v2c | v3 } * | all } }
Parameters
contact sys-contact: indicates contact information of system maintenance. location sys-location: indicates the location of a device. version: sets the SNMP version number used by the system. v1: specifies SNMPv1. v2c: specifies SNMPv2c. v3: specifies SNMPv3. all: specifies SNMPv1, SNMPv2c and SNMPv3.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the system maintenance information is "R&Ds Beijing,Huawei Technologies co.,Ltd.": the system location is "Beijing China" and the version is SNMPv3.
Examples
# Set the contact information of the system maintenance as call Operator at 123-12345678.
<Eudemon> system-view [Eudemon] snmp-agent sys-info contact call Operator at 123-12345678
1 System Management
Format
snmp-agent target-host trap address udp-domain X.X.X.X [ udp-port port-number ] [ vpninstance vpn-instance-name ] params securityname security-name [ v1 | v2c | v3 [ authentication | privacy ] ] undo snmp-agent target-host X.X.X.X [ vpn-instace vpn-instance-name ] securityname security-name
Parameters
trap: specifies the host as the trap host. address: specifies the address of the destination host that receives the SNMP message. udp-domain: specifies that the transmission domain of the destination host is based on UDP. X.X.X.X: specifies the IP address of the host. udp-port port-number: specifies the number of the port that receives the trap packet. It is an integer that ranges from 0 to 65535. By default, it is 162. params: indicates the information of the log host that generates SNMP messages. securityname security-name: specifies the community name of SNMPv1, SNMPv2c or the user name of SNMPv3. The value is in the range of 1 to 32 bytes. v1 | v2c | v3: specifies the version of trap packets. By default, it is v1. authentication: authenticates but not encrypts the packet. privacy: authenticates and encrypts the packet. vpn-instance vpn-instance-name: specifies the instance name of the VPN where the host resides.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The commands snmp-agent target-host and snmp-agent trap enable must be combined to use. Using the snmp-agent trap enable command, you can enable the device to send Trap packets. To enable a host to send notify messages, you need to configure at least one snmp-agent targethost command and one snmp-agent trap enable command.
Examples
# Enable the firewall to send VRRP Trap packets to the host (10.1.1.1), and use community name comaccess.
<Eudemon> system-view [Eudemon] snmp-agent trap enable vrrp
Issue 03 (2009-06-18)
1-179
1 System Management
[Eudemon] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname comaccess
# Enable the firewall to send VRRP Trap packets to the host (10.1.1.1), and use community name public.
<Eudemon> system-view [Eudemon] snmp-agent trap enable vrrp [Eudemon] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public
Format
snmp-agent trap enable [ trap-type [ trap-list ] ] undo snmp-agent trap enable [ trap-type [ trap-list ] ]
Parameters
trap-type: enables a specified type of trap packets. trap-list: specifies the parameter list corresponding to the specified type of trap packets.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, sending trap packets is disabled. If no parameter is specified in the snmp-agent trap enable command, it indicates allowing all the modules to send any type of SNMP trap packets. The snmp-agent trap enable command should be used together with the snmp-agent targethost command. The snmp-agent target-host command applies to specify the destination host of the trap packet. To send Trap packets, you must configure at least one snmp-agent target-host command. The module that can send trap packets are snmp, bgp, vrrp (VRRP trap packets), configuration (the configuration and management of MIB), and system (system management MIB).
1-180 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
SNMP module can send such types of Trap packets as authentication, coldstart, linkdown, linkup, and warmstart.
Examples
# Enable to send all OSPF Trap packets and enable authfailure trap packets of VRRP.
<Eudemon> system-view [Eudemon] snmp-agent trap enable vrrp authfailure [Eudemon] snmp-agent trap enable ospf
Format
snmp-agent trap life seconds undo snmp-agent trap life
Parameters
seconds: specifies the duration of Trap messages, in seconds. It is an integer that ranges from 1 to 2592000. By default, it is 300.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Any trap packet duration that exceeds the time is dropped. For example, if the duration for reserving the trap packet is set to 500 seconds, Trap messages are discarded after the duration expires. The Trap messages are no longer reserved or sent.
Examples
# Set the duration of Trap messages to 60 seconds.
<Eudemon> system-view [Eudemon] snmp-agent trap life 60
1 System Management
Function
Using the snmp-agent trap queue-size command, you can set the queue length of the trap packet sent to the destination host. Using the undo snmp-agent trap queue-size command, you can restore the default queue length.
Format
snmp-agent trap queue-size size undo snmp-agent trap queue-size
Parameters
size: specifies the queue length. It is an integer that ranges from 1 to 1000. By default, the length is 100.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the queue length of trap packets to 200.
<Eudemon> system-view [Eudemon] snmp-agent trap queue-size 200
Format
snmp-agent trap source interface-type interface-number undo snmp-agent trap source
1-182 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
1 System Management
Parameters
interface-type: specifies the interface type. interface-number: specifies the interface number.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Each SNMP trap packet has a trap address no matter from which interface it is sent. So you can use this command to trace a specified event.
Examples
# Specify the IP address of the GigabitEthernet 0/0/0 as the source address of trap packets.
<Eudemon> system-view [Eudemon] snmp-agent trap source GigabitEthernet 0/0/0
Format
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] undo snmp-agent usm-user { v1 | v2c } user-name group-name snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } authpassword ] [ acl acl-number ] undo snmp-agent usm-user v3 user-name group-name { local | engineid engineid-id }
Parameters
v1: specifies the SNMPv1 security mode the user uses. v2c: specifies the SNMPv2c security mode the user uses. v3: specifies the V3 security mode the user uses. user-name: specifies the user name. It is a string of 1 to 32 characters. group-name: specifies the name of the group the user belong to. It is a string of 1 to 32 characters.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-183
1 System Management
acl: sets the ACL for the access view. acl-number: specifies the basic ACL. It is an integer that ranges from 2000 to 2999. authentication-mode: specifies the authentication mode. md5: specifies the authentication protocol as HMAC-MD5-96. sha: specifies the authentication protocol as HMAC-SHA-96. auth-password: specifies the authentication password. It is a string of 1 to 64 characters. engineid: specifies the engine ID associated with the user. engineid-string: specifies the character string of the engine ID. It is in the range of 5 to 32 characters. local: indicates the local entity user.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, after you configure a remote user for a certain agent, the system needs to use engine ID in authentication. After the user is configured and engine ID changes, the user corresponding to the original engine ID is invalid.
Examples
# Add a user named John to the SNMP group named Johngroup, with the security level being authentication, the authentication protocol being MD5 and the password being hello.
<Eudemon> system-view [Eudemon] snmp-agent usm-user v3 John Johngroup authentication-mode md5 hello
1-184
Issue 03 (2009-06-18)
2 Internetworking
2
About This Chapter
2.1 Interface Management Commands 2.2 Ethernet Interface Configuration Commands 2.3 Basic Logical Interface Configuration Commands 2.4 VLAN Configuration Commands 2.5 IP Address Configuration Commands 2.6 ARP Configuration Commands 2.7 Static Domain Name Resolution Command 2.8 DHCP Configuration Commands 2.9 IP Performance Configuration Commands 2.10 Routing Table Display Commands 2.11 Route Policy Configuration Commands 2.12 RIP Configuration Commands 2.13 OSPF Configuration Commands 2.14 PPP Configuration Commands 2.15 BGP Configuration Commands 2.16 Policy Routing Configuration Commands 2.17 QoS Configuration Commands
Internetworking
Issue 03 (2009-06-18)
2-1
2 Internetworking
2.1.1 description
Function
Using the description command, you can set the interface description. Using the undo description command, you can restore the default setting.
Format
description interface-description undo description
Parameters
interface-description: describes the Eudemon interface. The value ranges from 1 to 80 characters, and only the first 64 characters are valid.
Views
Interface view
Default Level
2: Configuration level
2-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
By default, the description is "HUAWEI, Eudemon Series, interface-type interface-number interface". This command is only used to identify an interface and it has no special meaning and usage. The display interface command can be used to display the description.
Examples
# Set the description of the interface GigabitEthernet 0/0/0 to be Eudemon GigabitEthernet interface.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet 0/0/0] description Eudemon GigabitEthernet interface
Format
display interface [ interface-type [ interface-number ] ]
Parameters
interface-type: specifies the type of an interface. The interface type can be Eth-Trunk, GigabitEthernet, NULL, Tunnel, and Virtual-Template. If no interface-type is specified, the system will display configurations and statistics of all interfaces. interface-number: specifies the number of an interface. If no interface-number is specified, the system will display configurations and statistics of all interfaces with interface-type.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the operating state and statistics of the interface GigabitEthernet 0/0/0.
<Eudemon> display interface GigabitEthernet 0/0/0 GigabitEthernet0/0/0 current state : UP
Issue 03 (2009-06-18)
2-3
2 Internetworking
Table 2-1 shows the description of the display interface command output. Table 2-1 Description of the display interface command output Item GigabitEthernet0/0/0 current state Description Indicates the physical status of GigabitEthernet0/0/0:
l
UP: indicates that the physical layer status of the interface is normal. DOWN: indicates that the physical layer of the interface fails. Administratively down: indicates that the shutdown command is run on the interface by the administrator. Flow Down: indicates that the status of the data flow on the interface is Down. This status is consistent with the status of the bound mVRRP virtual device. If the status of the bound mVRRP virtual device is Backup or Initialize, the status of the data flow on the service interface is Down.
l l
UP: indicates that the link protocol status of the interface is normal. UP (BFD status down): indicates that the status of the BFD session that is bound to the interface becomes Down. UP (Main BFD status down): indicates that the status of the BFD session that is associated with the main interface becomes Down and is associated with the status of the subinterface. This status can be displayed only on sub-interfaces. DOWN: indicates that the link protocol status of the interface fails or the interface is not configured with an IP address. UP (spoofing): indicates that the link protocol status of the interface has the spoofing feature. That is, the link protocol status of the interface keeps Up.
Issue 03 (2009-06-18)
2-4
2 Internetworking
Item Description
Description Indicates the description about the interface. Up to 64 characters can be entered. The description can help the user to get familiar with the interface function. As for the Ethernet interface or the serial interface, the default is 1500 bytes. The packet larger than the MTU is fragmented before being sent. If the non-fragmentation is configured, the packet is discarded. Indicates the IP address and the subnet mask of the interface. Indicates the life cycle of the packet. If the packet is not sent out during the life cycle, it is discarded. Indicates the Ethernet frame format sent on the interface. The default is Ethernet_2. The Ethernet can identify the following format:
l l l l
Hardware address Output queue : (Urgent queue : Size/Length/ Discards) Output queue : (Protocol queue : Size/ Length/Discards) Output queue : (FIFO queuing : Size/Length/Discards)
Indicates the MAC address of the interface. The current status of it includes three types of Output queue:
l
Urgent queue indicates the protocol packet of link layer, such as the packets of PPP and Keepalive enters this queue. Protocol queue indicates the packet 6 IP precedence enters this queue. According to the queue types applied on the interface, FIFO queue, may be FIFO (First In First Out Queue), PQ (Priority Queue), CQ (Custom Queue), or CBQ (Class-based Queue).
When congestion happens, an interface sends the packets in Urgent queue first, those in Protocol queue the second and in FIFO queue the third. As for the output queue, the meaning of the fields is as follows:
l l l
Size: indicates the number of packets in the queue. Length: indicates length of the longest queue in packets. Discards: indicates the number of discarded packets because the queue is full.
Through checking the relationship between Discards, Size and Length during a certain period, you can see if the interface performance satisfies the requirements. If the value of Discards remains a large value in a long time and cannot process the input packets in time, a device of higher performance is needed.
Issue 03 (2009-06-18)
2-5
2 Internetworking
Format
display ip interface brief [ interface-type interface-number ]
Parameters
interface-type interface-number: specifies the type and the number of an interface. brief: displays summary information, including the IP address, physical link state, the Up or Down state of the protocol, and the interface description.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Using the display ip interface brief command, you can view the configuration and the statistics of the interface related to IP, including:
l l l
IP address Statuses of the physical link and protocol Description of the interface
By default, if no interface is specified, the system displays IP configuration and statistics of all interfaces.
Examples
# Display the running state of the interface GigabitEthernet 0/0/0.
<Eudemon> display ip interface brief GigabitEthernet 0/0/0 GigabitEthernet0/0/0 current state : UP Line protocol current state : UP The Maximum Transmit Unit : 1500 bytes input packets : 44768, bytes : 3248139, multicasts : 5 output packets : 349434, bytes : 20329975, multicasts : 318985 ARP packet input number: 1314 Request packet: 169 Reply packet: 1145 Unknown packet: 0 Internet Address is 40.1.1.3/24 Broadcast address : 40.1.1.255 TTL invalid packet number: 0 ICMP packet input number: 11
2-6
Issue 03 (2009-06-18)
2 Internetworking
Table 2-2 shows the description of the display ip interface command output. Table 2-2 Description of the display ip interface GigabitEthernet 0/0/0 command output Item GigabitEthernet0/0/0 current state Description Indicates the physical status of GigabitEthernet0/0/0:
l l l
UP: indicates the normal enabled state. DOWN: indicates the abnormal state. Administratively down: If the administrator uses the shutdown command on the interface, the state is Administratively down.
UP: indicates the normal enabled state. DOWN: indicates the abnormal state or the IP address is not configured on the interface.
The Maximum Transmit Unit of the interface. As for the Ethernet interface or the serial interface, the default is 1500 bytes. The packet larger than the MTU is fragmented before being sent. If the nonfragmentation is configured, the packet is discarded. Information about fast forwarding of the interface. Number of the input packets and bytes and multicast packets. Number of the output packets, bytes and multicast packets.
Issue 03 (2009-06-18)
2-7
2 Internetworking
Description Collects statistic of the ARP packets received on the interface. For the non-Ethernet interfaces, the display of this item is 0. Statistics include:
l l l l
Total number of ARP packets Number of the ARP request packets Number of the ARP response packets Number of the other ARP packets
IP address of the interface. It is in the format of IP address/mask length. Broadcast address of the interface. Number of the packet whose TTL value is illegal. When the TTL value is 0 or 1, the packet is considered as illegal TTL packet.
Total number of packets Number of ECHO response packets Number of destination unreachable packets Number of source quench packets Number of routing redirection packets Number of ECHO request packets Number of route advertisement packets Number of routing request packets Number of timeout packets Number of IP header error packets Number of time stamp request packets Number of time stamp response packets Number of information request packets Number of information response packets Number of mask request packets Number of mask response packets Number of other ICMP packets
Echo reply
2-8
Issue 03 (2009-06-18)
2 Internetworking
Item Unreachable Source quench Routing redirect Echo request Router advert Router solicit Time exceed IP header bad Timestamp request Timestamp reply Information request Information reply Netmask request Netmask reply Unknown type DHCP packet deal mode
Description Indicates the number of packets with unreachable destination. Indicates the number of source suppress packets. Indicates the number of redirected packets. Indicates the number of echo-request packets. Indicates the number of router-advertising packets. Indicates the number of router-soliciting packets. Indicates the number of timeout packets. Indicates the number of packets with the corrupted IP header. Indicates the number of timestamp-replying packets. Indicates the number of timestamp-requiring packets. Indicates the number of information-requiring packets. Indicates the number of information-replying packets. Indicates the number of mask-requiring packets. Indicates the number of mask-replying packets. Indicates the number of packets of the unknown type. The modes of handling the DHCP packet include:
l l l
2.1.4 interface
Function
Using the interface command, you can create an interface and enter the interface view.
Format
interface interface-type interface-number
Issue 03 (2009-06-18)
2-9
2 Internetworking
Parameters
interface-type interface-number: specifies the type and the number of an interface. The interface type can be Eth-Trunk, GigabitEthernet, Logic-Channel, LoopBack, NULL, Tunnel, and Virtual-Template. The format of the interface number is slot number/card number/port number.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After the Trunk interface is added to the physical interface, the load sharing of the physical interface can be configured.
Examples
# Set an interface GigabitEthernet 0/0/0 and enter the interface view from the system view.
[Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0]
2.1.5 ip binding
Function
Using the ip binding command, you can connect an interface or sububterface with a vpninstance. Using the undo ip binding command, you can cancel the connection.
Format
ip binding vpn-instance vpn-name undo ip binding vpn-instance [ vpn-name ]
Parameters
vpn-name: Specifies the name assigned to vpn-instance. The value is in the range of 1 to 19 characters.
Views
Interface view
Default Level
2: Configuration level
2-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
CAUTION
l
You must bind an Ethernet interface with a VPN instance before adding the Ethernet interface in the trust zone view of a vpn-instance. After the Ethernet interface is bound to the VPN instance or the binding is cancelled, you need to re-configure the commands of Layer 3 features, such as re-assign an IP address to the interface or re-configure routing protocols.
By default, the VPN instance is not bound with the Ethernet interface.
Examples
# Enter the GigabitEthernet 0/0/0 view and bind it with vpn-instance v1.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0]ip binding vpn-instance v1
Format
reset counters interface [ interface-type [ interface-number ] ]
Parameters
interface-type: specifies the type of an interface. If no parameter is specified, the statistics of all interfaces will be cleared. interface-number: specifies the number of an interface. If no parameter is specified, the statistics of all interfaces of the specified type will be cleared.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
In some cases, the traffic statistics at a certain interface requires counting within a certain period. As a result, the original statistics should be cleared before the recounting starts.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-11
2 Internetworking
Examples
# Clear the statistics at all interfaces.
<Eudemon> reset counters interface
Format
shutdown undo shutdown
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, when the Eudemon is powered on, all physical interfaces are initialized and enabled. This command should be used carefully. In some special cases, such as modifying operating parameters of an interface, the command cannot come to effect at once until the interface is disabled and re-enabled.
Examples
# Disable the interface GigabitEthernet 0/0/1.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/1 [Eudemon-GigabitEthernet 0/0/1] shutdown
2 Internetworking
Function
Using the firewall fifo enable command, you can enable the packet order guarantee of an interface. Using the undo firewall fifo enable command, you can disable the packet order guarantee of an interface.
Format
firewall fifo enable undo firewall fifo enable
Parameters
None
Views
System view and interface view
Default Level
2: Configuration level
Usage Guidelines
The packet order guarantee ensures that packets received from the same physical interface can be processed and forwarded according to the receiving sequence. Use the firewall fifo enable command in the system view, you can enable the packet order guarantee of all physical interfaces. Use the firewall fifo enable command in the interface view, you can enable the packet order guarantee of the specified interface.
Examples
# Enable the packet order guarantee of GigabitEthernet 0/0/0.
[Eudemon-GigabitEthernet0/0/0] firewall fifo enable
Format
firewall packet-capture acl-number [ egress | ingress ] [ queue queue-id ] undo firewall packet-capture [ egress | ingress ]
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-13
2 Internetworking
Parameters
acl-number: indicates the number of an ACL. egress: indicates capturing the packets in the outbound direction of the interface. ingress: indicates capturing the packets in the inbound direction of the interface. queue queue-id: specifies the ID of a packet cache queue. The value ranges from 0 to 1.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Capture the packets that meets acl 3000 in the outbound direction of GigabitEthernet 0/0/0 and store them in queue 0.
[Eudemon-GigabitEthernet0/0/0] firewall packet-capture 3000 egress queue 0
Format
firewall packet-capture startup [ capture-value | difficult capture-value | simple capturevalue ] undo firewall packet-capture startup
Parameters
difficult: indicates the complex packet capture. It is set to the maximum value in the case of no fragmentation. simple: indicates the simple packet capture. It is set to the front 100 bytes of the data packet. capture-value: indicates the number of the packets captured in a single direction.
2-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The packet capture function aims to learn the information about the packets received by Eudemon and how to process the packets. The number of the captured packets may not be the same as the configured capture-value. The variation is about 5%.
Examples
# Enable the packet capture function in simple mode.
<Eudemon> system-view [Eudemon] firewall packet-capture startup simple
Format
firewall packet-capture send queue queue-id [ vpn-instance vpn-name ] ip ip-address [ destination-port port-number ] undo firewall packet-capture send
Parameters
queue queue-id: specifies the ID of a packet cache queue. The value ranges from 0 to 1. vpn-instance vpn-name: specifies a VPN instance. ip ip-address: indicates the IP address for receiving packets. destination-port port-number: specifies the port for receiving packets. The value ranges from 1024 to 65535.
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-15
2 Internetworking
Usage Guidelines
None
Examples
# Send the packets in the specified packet capture queue to the specific port of the specified IP address.
[Eudemon] firewall packet-capture send queue 0 ip 1.1.1.2 destination-port 2002
Format
display firewall packet-capture { configuration | queue queue-id [ packet-id ] | statistic }
Parameters
configuration: views the configuration of the packet capture function. queue queue-id: views the information related to the packet cache queue. packet-id: views the specific packets in the queue. staticstic: views the statistics information of the packets captured.
Views
All views
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# View the statistics information of the packets captured.
[Eudemon-GigabitEthernet 0/0/0] display firewall packet-capture statistic
2 Internetworking
2.2.2 display interface 2.2.3 duplex 2.2.4 loopback 2.2.5 mtu 2.2.6 portswitch 2.2.7 speed 2.2.8 distribute-weight
Format
debugging ethernet packet [ arp | error | ip ] [ verbose ] [ interface interface-type interfacenumber ] debugging ethernet packet mac { dest_mac dest_mac | src_mac src_mac } undo debugging ethernet packet [ arp | error | ip ] [ interface interface-type interfacenumber ] undo debugging ethernet packet mac { dest_mac | src_mac }
Parameters
arp: Enables the debugging of ARP packets. error: Enables the debugging of error information. ip: Enables the debugging of IP packets. verbose: Outputs packet contents. With verbose, you can display the content of packets in 64 bytes. interface-type interface-number: Specifies the interface type and the interface number. Supports only GigabitEthernet and Eth-Trunk interfaces. dest-mac: Specifies the destination MAC address of the Ethernet frame. It is in the format of HH-H. src-mac: Specifies the source MAC address of the Ethernet frame. It is in the format of H-H-H.
Views
All views
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-17
2 Internetworking
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Enable debugging for ethernet packet ip.
<Eudemon> debugging ethernet packet ip *0.301643 Eudemon ETH/8/eth_rcv:Slot=2;Receive an Eth Packet, interface : GigabitEthernet2/2/0, eth format: 0, prototype: 0800 ip, src_eth_addr: 0000-5e13-6c02, dst_eth_addr: 0100-5e00-0005
Table 2-3 shows the description of the debugging ethernet packet command output. Table 2-3 Description of the debugging ethernet packet command output Item eth_discard interface eth format prototype src_eth_addr dst_eth_addr because Description Packets discarded. Interface. Frame format. Protocol carried by Ethernet packets. Source address. Destination address. Error cause prompt.
2 Internetworking
Function
Using the display interface command, you can view the information of the Ethernet interface such as various configuration parameters and the current running state.
Format
display interface [ interface-type [ interface-number ] ]
Parameters
interface-type: specifies the type of an interface. If no interface-type is specified, the system will display configurations and statistics of all interfaces. interface-number: specifies the number of an interface. If no interface-number is specified, the system will display configurations and statistics of all interfaces with interface-type.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the operating state and statistics of the interface GigabitEthernet 0/0/0.
<Eudemon> display interface GigabitEthernet 0/0/0 GigabitEthernet0/0/0 current state : UP Line protocol current state : UP Description : HUAWEI, Eudemon Series, GigabitEthernet0/0/0 Interface The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec) Internet Address is 10.10.10.1/24 Internet protocol processing : disabled IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fca4-b3b5 Media type is twisted pair, loopback not set, promiscuous mode set 100Mb/s-speed mode, Full-duplex mode, link type is auto negotiation Output flow-control is unsupported, input flow-control is unsupported Output queue : (Urgent queue : Size/Length/Discards) 0/50/0 Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0 Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 5 minutes input rate 0 bytes/sec, 0 packets/sec 5 minutes output rate 0 bytes/sec, 0 packets/sec Input: 1577 packets, 202525 bytes 1577 broadcasts (100.00%), 0 multicasts (0.00%) 0 errors, 0 runts, 0 giants, 0 CRC, 0 collisions, 0 late collisions, 0 overruns, 0 jabbers, 0 input no buffers, 0 Resource errors, 0 other errors Output:0 packets, 0 bytes 0 errors, 0 late collisions, 0 underruns, 0 retransmit limits
Table 2-4 shows the description of the display interface command output.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-19
2 Internetworking
Table 2-4 Description of the display interface command output Item GigabitEthernet0/0/0 current state Description Indicates the physical status of GigabitEthernet0/0/0:
l
UP: indicates that the physical layer status of the interface is normal. DOWN: indicates that the physical layer of the interface fails. Administratively down: indicates that the shutdown command is run on the interface by the administrator. Flow Down: indicates that the status of the data flow on the interface is Down. This status is consistent with the status of the bound mVRRP virtual device. If the status of the bound mVRRP virtual device is Backup or Initialize, the status of the data flow on the service interface is Down.
l l
UP: indicates that the link protocol status of the interface is normal. UP (BFD status down): indicates that the status of the BFD session that is bound to the interface becomes Down. UP (Main BFD status down): indicates that the status of the BFD session that is associated with the main interface becomes Down and is associated with the status of the subinterface. This status can be displayed only on sub-interfaces. DOWN: indicates that the link protocol status of the interface fails or the interface is not configured with an IP address. UP (spoofing): indicates that the link protocol status of the interface has the spoofing feature. That is, the link protocol status of the interface keeps Up.
Description
Indicates the description about the interface. Up to 64 characters can be entered. The description can help the user to get familiar with the interface function. As for the Ethernet interface or the serial interface, the default is 1500 bytes. The packet larger than the MTU is fragmented before being sent. If the non-fragmentation is configured, the packet is discarded. Indicates the IP address and the subnet mask of the interface. Indicates the life cycle of the packet. If the packet is not sent out during the life cycle, it is discarded.
2-20
Issue 03 (2009-06-18)
2 Internetworking
Description Indicates the Ethernet frame format sent on the interface. The default is Ethernet_2. The Ethernet can identify the following format:
l l l l
Hardware address Output queue : (Urgent queue : Size/Length/ Discards) Output queue : (Protocol queue : Size/ Length/Discards) Output queue : (FIFO queuing : Size/Length/Discards)
Indicates the MAC address of the interface. The current status of it includes three types of Output queue:
l
Urgent queue indicates the protocol packet of link layer, such as the packets of PPP and Keepalive enters this queue. Protocol queue indicates the packet 6 IP precedence enters this queue. According to the queue types applied on the interface, FIFO queue, may be FIFO (First In First Out Queue), PQ (Priority Queue), CQ (Custom Queue), or CBQ (Class-based Queue).
When congestion happens, an interface sends the packets in Urgent queue first, those in Protocol queue the second and in FIFO queue the third. As for the output queue, the meaning of the fields is as follows:
l l l
Size: indicates the number of packets in the queue. Length: indicates length of the longest queue in packets. Discards: indicates the number of discarded packets because the queue is full.
Through checking the relationship between Discards, Size and Length during a certain period, you can see if the interface performance satisfies the requirements. If the value of Discards remains a large value in a long time and cannot process the input packets in time, a device of higher performance is needed.
2.2.3 duplex
Function
Using the duplex command, you can set the operating mode on fast Ethernet interface. Using the undo duplex command, you can restore the default setting.
Format
duplex { negotiation | full | half } undo duplex
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-21
2 Internetworking
Parameters
negotiation: sets the operating mode of Ethernet interface as full-duplex. full: sets the operating mode of Ethernet interface as half-duplex. half: sets the operating mode of Ethernet interface as the auto-negotiation.
Views
Ethernet interface view
Default Level
2: Configuration level
Usage Guidelines
By default, Ethernet interface works in auto-negotiation mode. Setting operating mode of the Ethernet interface should keep consistent with that of the devices on the other side.
Examples
# Set the interface GigabitEthernet 0/0/0 to operate in auto-negotiation mode.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] duplex negotiation
2.2.4 loopback
Function
Using the loopback command, you can enable loopback on Ethernet interface. Using the undo loopback command, you can disable this function.
Format
loopback undo loopback
Parameters
None
Views
Ethernet interface view
Default Level
2: Configuration level
2-22 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
By default, loopback is disabled. The Ethernet interface is set as loopback mode only when some special functions are tested. Local loop can be configured for fast Ethernet interfaces and GigabitEthernet interfaces.
Examples
# Enable loopback on interface GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] loopback
2.2.5 mtu
Function
Using the mtu command, you can set the Maximum Transmission Unit (MTU) of the Ethernet interface. Using the undo mtu command, you can restore the default setting.
Format
mtu GigabitEthernet-mtu undo mtu
Parameters
GigabitEthernet-mut: specifies the MTU of the Ethernet interface in byte in a range of 328 to 1600 bytes.
Views
Ethernet interface view
Default Level
2: Configuration level
Usage Guidelines
By default, MTU is set to 1500 bytes in either Ethernet_II frame format or 1492 bytes in Ethernet_SNAP frame format. The interface shall be restarted to ensure that the MTU setting is effective.
Examples
# Set the MTU of the interface GigabitEthernet 0/0/0 to 1492.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-23
2 Internetworking
2.2.6 portswitch
Function
Using the portswitch command, you can switch an Ethernet interface from the Layer 3 mode to the Layer 2 mode. Using the undo portswitch command, you can switch an Ethernet interface from the Layer 2 mode to the Layer 3 mode.
Format
portswitch undo portswitch
Parameters
None
Views
Ethernet interface view, Eth-Trunk interface view
Default Level
2: Configuration level
Usage Guidelines
By default, Ethernet interfaces on the firewall work in the Layer 3 mode. Before you configure an interface to join a VLAN or perform configurations related to a Layer 2 interface, you need to convert the mode to the Layer 2 mode. Before running the portswitch/undo portswitch command, make sure that the interface is configured with only the shutdown/undo shutdown or negotiation auto/undo negotiation auto commands.
NOTE
Examples
# Switch over the interface GigabitEthernet 0/0/0 to a LAN interface in composite mode.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] portswitch
2-24
Issue 03 (2009-06-18)
2 Internetworking
2.2.7 speed
Function
Using the speed command, you can set the operating speed of the current Ethernet interface. Using the undo speed command, you can restore the default setting.
Format
speed { 10 | 100 | 1000 | negotiation } undo speed
Parameters
10: sets the speed to 10 Mbit/s. 100: sets the speed to 100 Mbit/s. 1000: sets the speed to 1000 Mbit/s. negotiation: sets the speed to 10 Mbit/s or 100 Mbit/s or 1000Mbit/s in auto-negotiation mode.
Views
Ethernet interface view
Default Level
2: Configuration level
Usage Guidelines
By default, auto-negotiation mode is used.
Examples
# Set the working speed of interface GigabitEthernet 0/0/0 to 1000Mbps.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] speed 1000
2.2.8 distribute-weight
Function
Using the distribute-weight command, you can set interface load sharing. Using the undo distribute-weight command, you can restore the default setting.
Format
distribute-weight number
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-25
2 Internetworking
undo distribute-weight
Parameters
number: sets the weight for interface load sharing. The value is an integer ranging from 1 to 24.
Views
Ethernet interface view
Default Level
2: Configuration level
Usage Guidelines
The command is valid only when the interface is added to the trunk interface.
Examples
# Set the load sharing weight of the GigabitEthernet0/0/0 interface to 10.
[Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] distribute-weight 10
2 Internetworking
Function
Using the broadcast-limit link command, you can set the maximum link number of virtual template in support of sending multicast or broadcast packets. Using the undo broadcast-limit link command, you can restore the default setting.
Format
broadcast-limit link number undo broadcast-limit link
Parameters
number: specifies the maximum link number that virtual template interface supports for sending multicast or broadcast packets. It ranges from 0 to 128.
Views
Virtual template interface view
Default Level
2: Configuration level
Usage Guidelines
When there are many links on virtual template, sending multicast or broadcast packet from each link may affect the system. In this case, the broadcast-limit link command can be used for limit, so that multicast or broadcast packets are discarded if link number exceeds the limit.
Examples
# Set maximum link number of virtual template interface 1 in support of sending multicast or broadcast packet to be 100.
<Eudemon> system-view [Eudemon] interface virtual-template 1 [Eudemon-Virtual-Template1] broadcast-limit link 100
Format
display interface null [ number ]
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-27
2 Internetworking
Parameters
number: specifies the null interface number. The definite value is 0.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
There can be one only null interface, namely, Null0.
Examples
# Display the state of the interface Null0.
<Eudemon> display interface null 0 NULL0 current state : UP Line protocol current state :UP (spoofing) Description : Huawei, Eudemon Series, NULL0 Interface The Maximum Transmit Unit is 1500 bytes Internet protocol processing : disabled Physical is NULL DEV 5 minutes input rate 0 bytes/sec, 0 packets/sec 5 minutes output rate 0 bytes/sec, 0 packets/sec 0 packets input, 0 bytes, 0 drops 0 packets output, 0 bytes, 0 drops
Format
display interface tunnel [ interface-number ]
Parameters
interface-number: specifies the tunnel interface number. The value ranges from 0 to 3.
Views
All views
Default Level
1: Monitoring level
2-28 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
None
Examples
# View interface information about the specified tunnel.
<Eudemon> display interface tunnel 3 Tunnel3 current state : UP Line protocol current state : DOWN Description : Huawei, Eudemon Series, Tunnel3 Interface The Maximum Transmit Unit is 64000 bytes Internet protocol processing : disabled Encapsulation is TUNNEL, loopback not set Tunnel source 0.0.0.0, destination 0.0.0.0 Tunnel protocol/transport GRE/IP, key disabled Checksumming of packets disabled
Table 2-5 shows the description of the display interface tunnel command output. Table 2-5 Description of the display interface tunnel command output Item Tunnel3 current state Description Physical status of Tunnel:
l l
Up: The interface is in the normal state. Down: The interface is not in the normal state.
Up: The network layer protocol of the tunnel interface works normally. Down: The network layer protocol of the tunnel interface is abnormal.
Description The Maximum Transmit Unit Internet protocol processing: disabled Encapsulation is TUNNEL, loopback not set Tunnel Source 0.0.0.0
The description of the tunnel interface. Indicates the Maximum Transmission Unit of tunnel interfaces. Internet protocol processing is disabled. Encapsulation type of packets on a tunnel interface. The tunnel interface does not support loopback test. Indicates that the source address of the Tunnel interface is 0.0.0.0 (the IP address of the LoopBack interface the local end corresponds to). Indicates that the destination address of the Tunnel interface is 0.0.0.0 (the IP address of the LoopBack interface the peer end corresponds to). Tunnel encapsulation protocol is the GRE protocol. The transport protocol is the IP protocol.
Issue 03 (2009-06-18)
2-29
2 Internetworking
Item key
Description Key words for identifying tunnel interfaces. If the key word is not set, the system displays "disable", which indicates that the system does not perform the key word authentication on a tunnel. If the key word is set, the system displays the key word as an integer in hex. Indicates the end-to-end Tunnel check.
l
Checksumming of packets
disabled indicates that the received packets are not to be checked. enabled indicates that the received packets are to be checked.
Format
display interface virtual-template [ vt-number ]
Parameters
vt-number: specifies the virtual template interface number. The value ranges from 0 to 1023.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
According to the status and statistics of the interface collected by the command, you can measure the traffic and locate the fault of the interface.
Examples
# View the status of the specified VT interface.
<Eudemon> display interface virtual-template 1 Virtual-Template1 current state : UP Line protocol current state :UP (spoofing)
2-30
Issue 03 (2009-06-18)
2 Internetworking
Table 2-6 shows the description of the display interface virtual-template command output. Table 2-6 Description of the display interface Virtual-Template command output Item Virtual-Template1 current state Description Indicates the physical status of the VT interface:
l l l
UP: indicates the normal enabled state. DOWN: indicates the abnormal state. Administratively Down: If the administrator uses the shutdown command on the interface, the state is Administratively Down.
UP: indicates the normal enabled state. DOWN: indicates the abnormal state or the IP address is not configured on the interface.
Indicates the link layer protocol. The interface is not configured with an IP address. Indicates the LCP initialization. Indicates the description about the interface. A maximum of 64 characters, which are case sensitive and can be blank spaces, can be entered. The description can help the user to get familiar with the interface function. As for the GigabitEthernet interface, the default is 1500 bytes. The packet larger than the MTU is fragmented before being sent. If the non-fragmentation is configured, the packet is discarded. Indicates the logical interface does not exist physically.
2-31
Physical is None
Issue 03 (2009-06-18)
2 Internetworking
Item Output queue : (Urgent queue : Size/Length/ Discards) Output queue : (Protocol queue : Size/Length/ Discards) Output queue : (FIFO queuing : Size/Length/ Discards)
Urgent queue: Link layer protocol packets, such as the negotiation packets and the Keepalive packets of PPP, join in this queue. Protocol queue: Packets whose IP priorities are six join in this queue. FIFO queue: This queue may be a First In First Out Queue (FIFO), a Priority Queue (PQ), a Custom Queue (CQ), or a Classbased Queue (CBQ).
When congestion occurs, the interface first sends the packets in the urgent queue, then the packets in the protocol queue, and finally the packets in the FIFO queue. Each of the queues is displayed as numbers in the format of Size/ Length/Discards. The fields of the format are as follows:
l
Size: indicates the number of packets in the queue. Length: indicates the maximum queue length in the form of groups. Discards: indicates the number of groups discarded when the queue is full.
By comparing the value of Discards and those of Size and Length, you can decide whether the performance of interface is satisfactory. For example, if the value of Discards is comparatively large, it indicates that the device is performing other tasks and cannot process the new groups in time. If this persists for a long time, it generally indicates that a more powerful device is needed. 5 minutes input rate / 5 minutes output rate Indicates the byte rate and packet rate of packets sent and received through the interface within the last five minutes.
2.3.5 eth-trunk
Function
Using the eth-trunk command, you can add the current Ethernet interface to the Eth-Trunk group.
2-32 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Using the undo eth-trunk command, you can delete the current Ethernet interface from the EthTrunk group.
Format
eth-trunk trunk-id undo eth-trunk trunk-id
Parameters
trunk-id: specifies the Eth-Trunk interface number.
Views
Ethernet interface view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Add GigabitEthernet 0/0/0 to Eth-Trunk 1.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] eth-trunk 1
Format
interface { virtual-template | loopback | null | interface-type } number undo interface { virtual-template | loopback | GigabitEthernet } number
Parameters
virtual-template: create a virtual-template and enter the virtual-template view. null: create a null interface and enter the null interface view. interface-type: create a sub interface and enter the sub interface view.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-33
2 Internetworking
number: for a virtual interface template, the value ranges from 0 to 1023. For the Loopback interface, the value ranges from 0 to 1023. For the Null interface, the value is 0. For a subinterface, the value ranges form 1 to 1024.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
There is only one Null interface, that is, null0. The interface is in the Up state and cannot be shut down or deleted. Virtual template should be created before the creation of virtual access interface, and be closed after virtual access interface has been closed and won't be in use any more. The virtual Ethernet interface is mainly used for PPPoE/PPPoA. A sub-interface receives only the packets containing the VLAN tag. Therefore, the sub-interface can be used only when it is added into the VLAN.
Examples
# Creat virtual-template 10.
<Eudemon> system-view [Eudemon] interface virtual-template 10 [Eudemon-Virtual-Template10]
Format
interface eth-trunk number undo interface eth-trunk number
2-34 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
eth-trunk: creates an Eth-Trunk interface and enter the Eth-Trunk interface view. number: specifies the Eth-Trunk interface number. The value ranges from 0 to 7. For Eth-Trunk sub interface, The value ranges from 1 to 1024.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Only the physical interface can be added to the Trunk interface. When the IP address is not configured for the physical interface and the physical interface joins the security zone, the physical interface can be added to the Trunk interface. An Eth-Trunk interface supports four physical interfaces and 1024 sub-interfaces at most.
Examples
# Create interface Trunk0.
<Eudemon> system-view [Eudemon] interface eth-trunk 0 [Eudemon-Eth-Trunk0]
Format
load-balance { ip | mac | packet-all } undo load-balance
Parameters
ip: sets the hash algorithm of an interface to IP-based hash. mac: sets the hash algorithm of an interface to MAC-based hash.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-35
2 Internetworking
Views
Trunk interface view
Default Level
2: Configuration level
Usage Guidelines
The L3 Trunk interface does not support the MAC-based hash.
Examples
# Set Trunk 0 to IP-based hash.
<Eudemon> system-view [Eudemon] interface Eth-trunk 0 [Eudemon-Eth-Trunk0] load-balance ip
Format
display trunkfwdtbl eth-trunk trunk-id
Parameters
eth-trunk trunk-id: displays the forwarding table of an Eth-Trunk. The value is in the range of 0 to 7
Views
All views
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Display the forwarding table of an Eth-Trunk.
2-36 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Format
display trunkmembership eth-trunk trunk-id
Parameters
eth-trunk trunk-id: displays the trunk member port of an Eth-Trunk. The value ranges from 0 to 7.
Views
All views
Default Level
1: Monitoring level Description
Usage Guidelines
None
Examples
# Display the Trunk members.
<Eudemon> display trunkmembership eth-trunk 1
Format
least active-linknumber link-number
Parameters
link-number: specifies the lower threshold of Up links. The value ranges from 1 to 4.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-37
2 Internetworking
Views
Trunk interface view
Default Level
2: Configuration level
Usage Guidelines
When the number of the Up member ports in the trunk group is less than the lower threshold, the status of the trunk interface turns to Down. When the number of the Up member ports within the trunk group reaches or exceeds the lower threshold, the state of the trunk interface turns to Up.
Examples
# Set the Eth-Trunk 1 Up when at least 3 links are Up.
<Eudemon> system-view [Eudemon] interface eth-trunk 1 [Eudemon-Eth-Trunk1] least active-linknumber 3
Format
max bandwidth-affected-linknumber link-number
Parameters
link-number: Upper limit for the member link UP. The value ranges from 1 to 4.
Views
Trunk interface view
Default Level
2: Configuration level
Usage Guidelines
The command can be configured for the layer 2 Trunk interface only.
2-38 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# For the member interfaces that make bandwidth change, set the interface number to 3. The Eth-Trunk 1 is in UP state.
<Eudemon> system-view [Eudemon] interface eth-trunk 1 [Eudemon-Eth-Trunk1] max bandwidth-affected-linknumber 3
Format
display interface vlanif [ vlan-id ]
Parameters
vlan-id: specifies the ID of a existing VLAN. The value ranges from 1 to 4094.
Views
All views
Default Level
1: Monitoring level
Issue 03 (2009-06-18)
2-39
2 Internetworking
Usage Guidelines
According to the status and statistics of the interface collected by the command, you can measure the traffic and locate the fault of the interface.
Examples
# Display information about the specified VLAN interface.
<Eudemon> display interface vlanif 2 vlanif2 current state : UP Line protocol current state : UP Description : HUAWEI, Eudemon Series, vlanif Interface The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec) Internet Address is 10.10.10.1/24
Table 2-7 shows the description of the display interface vlanif command output. Table 2-7 Description of the display interface vlanif command output Item vlanif2 current state Description Indicates the physical status of vlanif2:
l
UP: indicates that the physical layer status of the interface is normal. DOWN: indicates that the physical layer of the interface fails. Administratively down: indicates that the shutdown command is run on the interface by the administrator. Flow Down: indicates that the status of the data flow on the interface is Down. This status is consistent with the status of the bound mVRRP virtual device. If the status of the bound mVRRP virtual device is Backup or Initialize, the status of the data flow on the service interface is Down.
l l
UP: indicates that the link protocol status of the interface is normal. UP (BFD status down): indicates that the status of the BFD session that is bound to the interface becomes Down. UP (Main BFD status down): indicates that the status of the BFD session that is associated with the main interface becomes Down and is associated with the status of the subinterface. This status can be displayed only on sub-interfaces. DOWN: indicates that the link protocol status of the interface fails or the interface is not configured with an IP address. UP (spoofing): indicates that the link protocol status of the interface has the spoofing feature. That is, the link protocol status of the interface keeps Up.
Description
Indicates the description about the interface. Up to 64 characters can be entered. The description can help the user to get familiar with the interface function.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2-40
2 Internetworking
Description As for the Ethernet interface or the serial interface, the default is 1500 bytes. The packet larger than the MTU is fragmented before being sent. If the non-fragmentation is configured, the packet is discarded. Indicates the IP address and the subnet mask of the interface.
Internet Address
The previous commands take effect when the Eudemon operates in transparent mode or composite mode.
Format
display vlan [ vlan-id ] display vlan port-default [ vid vlan-id ] display vlan port-trunk [ vid vlan-id ]
Parameters
vlan-id: specifies the VLAN ID. The value is an integer ranging from 1 to 4094.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the status of VLAN 3 and interfaces contained in VLAN 3.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-41
2 Internetworking
<Eudemon> display vlan 3
The previous command takes effect when the Eudemon operates in transparent mode or composite mode.
Format
display vlan interface interface-type interface-number
Parameters
interface-type interface-number: specifies an interface. The interface types supported include Ethernet interface and Gigabit Ethernet interface.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the VLAN configuration on interface GigabitEthernet 0/0/0.
<Eudemon> display vlan statistics interface GigabitEthernet 0/0/0
The previous command takes effect when the Eudemon operates in transparent mode or composite mode.
Format
interface vlanif vlan-id
2-42 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
vlan-id: specifies the VLAN ID. The value is an integer ranging from 1 to 4094.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Before creating a VLAN interface, you must create the related VLAN. VLAN interfaces are used for packet routing and forwarding. Through VLAN interfaces, users in different VLANs can access each other and directly access external networks, and security control is available. To implement the preceding functions, you must assign IP addresses to the VLAN interfaces, add the VLAN interfaces to security zones, and configure interzone security policies.
Examples
# Enter the VLAN2 interface view from the system view.
<Eudemon> system-view [Eudemon] vlan 2 [Eudemon-vlan2] quit [Eudemon] interface vlanif 2
Format
port interface interface-tyoe interface-number undo port interface interface-tyoe interface-number
Parameters
interface-tyoe interface-number: specifies the interface number and the interface type.
Views
VLAN view.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-43
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
NOTE
The previous commands take effect when the Eudemon operates in transparent mode or composite mode.
Examples
# Add Gigabitethernet 0/0/0 to VLAN 3.
<Eudemon> system-view [Eudemon] vlan 3 [Eudemon-vlan3] port interface gigabitethernet 0/0/0
Format
port default vlan vlan-id undo port default vlan
Parameters
vlan-id: specifies a VLAN ID. The value ranges from 2 to 4094.
Views
GigabitEthernet interface view.
Default Level
2: Configuration level
Usage Guidelines
When the port trunk allow-pass vlan and the port default vlan commands are both configured, default vlan is valid only when it is included in the vlan of the trunk port. When the port trunk allow-pass vlan command is not configured, port default vlan is valid directly.
2-44 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
The previous commands take effect when the Eudemon operates in transparent mode or composite mode.
Examples
# In the ethernet interface view, Add Gigabitethernet 0/0/0 to VLAN 2.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet 0/0/0] portswitch [Eudemon-GigabitEthernet0/0/0] port default vlan 2
Format
port trunk allow-pass vlan { { vlan-id [ to vlan-id ] } & <1-10> } undo port trunk allow-pass vlan { { vlan-id [ to vlan-id ] } & <1-10> }
Parameters
vlan-id: the list of VLAN IDs. The value is an integer ranging from 1 to 4094.
Views
Ethernet interface view
Default Level
2: Configuration level
Usage Guidelines
After a port is allowed to pass the VLAN, it becomes a Trunk port. When all permitted VLANs are removed from the Trunk port, the port becomes a non-Trunk port. By default, a port is a non-Trunk port. This command is used to configure or cancel a port to be a Trunk port and to configure or delete the VLAN ID list that passes the port. When specifying VLAN ranges, make sure that the VLAN value following the key word "to" should be greater than that before it and that the ranges do not overlap. You can specify the VLANs in the range of one to ten.
NOTE
Issue 03 (2009-06-18)
2-45
2 Internetworking
Examples
# Set the Trunk port GigabitEthernet 0/0/0 to allow the VLANs to be 2 to 10, VLAN 100, and VLAN 200 to pass it.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet 0/0/0] port trunk allow-pass vlan 2 to 10 100 200
2.4.8 vlan
Function
Using the vlan command, you can create a VLAN and enter the VLAN view. If the VLAN exists, you can directly enter the VLAN view. Using the undo vlan command, you can delete a VLAN.
Format
vlan vlan-id undo vlan vlan-id { vlan-id [ to vlan-id ] } & <1-10>
Parameters
vlan-id: specifies the VLAN ID. The value is an integer ranging from 1 to 4094.
Views
System view
Default Level
3: Management level
Usage Guidelines
By default, all the ports are added to the default VLAN, that is, VLAN 1. This command is used to configure or cancel a port to be a Trunk port and to configure or delete the VLAN ID list that passes the port. When specifying VLAN ranges, make sure that the VLAN value following the key word "to" should be greater than that before it and that the ranges do not overlap. You can specify the VLANs in the range of one to ten.
NOTE
The commands are valid when the Eudemon is in transparent or composite mode.
Examples
# Create a VLAN with ID 2. If the VLAN exists, you can directly enter the VLAN view.
2-46 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Format
vlan-type dot1q vlan-id
Parameters
vlan-id: specifies the VLAN ID. The value ranges from 1 to 4094.
Views
Sub-Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, there is no encapsulation on the subinterface, nor VLAN ID related to the subinterface.
Examples
# Set the sub-interface GigabitEthernet 0/0/0.1 to be related to VLAN ID 60, and its encapsulation format is dot1q.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0.1 [Eudemon-GigabitEthernet0/0/0.1] vlan-type dot1q 60
2 Internetworking
Function
Using the display ip interface command, you can view the configuration and the statistics of the interface related to IP.
Format
display ip interface brief [ interface-type interface-number ]
Parameters
interface-type interface-number: specifies the type and the number of an interface. brief: displays summary information, including the IP address, physical link state, the Up or Down state of the protocol, and the interface description.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Using the display ip interface brief command, you can view the configuration and the statistics of the interface related to IP, including:
l l l
IP address Statuses of the physical link and protocol Description of the interface
By default, if no interface is specified, the system displays IP configuration and statistics of all interfaces.
Examples
# Display the running state of the interface GigabitEthernet 0/0/0.
<Eudemon> display ip interface brief GigabitEthernet 0/0/0 GigabitEthernet0/0/0 current state : UP Line protocol current state : UP The Maximum Transmit Unit : 1500 bytes input packets : 44768, bytes : 3248139, multicasts : 5 output packets : 349434, bytes : 20329975, multicasts : 318985 ARP packet input number: 1314 Request packet: 169 Reply packet: 1145 Unknown packet: 0 Internet Address is 40.1.1.3/24 Broadcast address : 40.1.1.255 TTL invalid packet number: 0 ICMP packet input number: 11 Echo reply: 4 Unreachable: 3 Source quench: 0 Routing redirect: 0
2-48
Issue 03 (2009-06-18)
2 Internetworking
Table 2-8 shows the description of the display ip interface command output. Table 2-8 Description of the display ip interface GigabitEthernet 0/0/0 command output Item GigabitEthernet0/0/0 current state Description Indicates the physical status of GigabitEthernet0/0/0:
l l l
UP: indicates the normal enabled state. DOWN: indicates the abnormal state. Administratively down: If the administrator uses the shutdown command on the interface, the state is Administratively down.
UP: indicates the normal enabled state. DOWN: indicates the abnormal state or the IP address is not configured on the interface.
The Maximum Transmit Unit of the interface. As for the Ethernet interface or the serial interface, the default is 1500 bytes. The packet larger than the MTU is fragmented before being sent. If the nonfragmentation is configured, the packet is discarded. Information about fast forwarding of the interface. Number of the input packets and bytes and multicast packets. Number of the output packets, bytes and multicast packets.
Issue 03 (2009-06-18)
2-49
2 Internetworking
Description Collects statistic of the ARP packets received on the interface. For the non-Ethernet interfaces, the display of this item is 0. Statistics include:
l l l l
Total number of ARP packets Number of the ARP request packets Number of the ARP response packets Number of the other ARP packets
IP address of the interface. It is in the format of IP address/mask length. Broadcast address of the interface. Number of the packet whose TTL value is illegal. When the TTL value is 0 or 1, the packet is considered as illegal TTL packet.
Total number of packets Number of ECHO response packets Number of destination unreachable packets Number of source quench packets Number of routing redirection packets Number of ECHO request packets Number of route advertisement packets Number of routing request packets Number of timeout packets Number of IP header error packets Number of time stamp request packets Number of time stamp response packets Number of information request packets Number of information response packets Number of mask request packets Number of mask response packets Number of other ICMP packets
Echo reply
2-50
Issue 03 (2009-06-18)
2 Internetworking
Item Unreachable Source quench Routing redirect Echo request Router advert Router solicit Time exceed IP header bad Timestamp request Timestamp reply Information request Information reply Netmask request Netmask reply Unknown type DHCP packet deal mode
Description Indicates the number of packets with unreachable destination. Indicates the number of source suppress packets. Indicates the number of redirected packets. Indicates the number of echo-request packets. Indicates the number of router-advertising packets. Indicates the number of router-soliciting packets. Indicates the number of timeout packets. Indicates the number of packets with the corrupted IP header. Indicates the number of timestamp-replying packets. Indicates the number of timestamp-requiring packets. Indicates the number of information-requiring packets. Indicates the number of information-replying packets. Indicates the number of mask-requiring packets. Indicates the number of mask-replying packets. Indicates the number of packets of the unknown type. The modes of handling the DHCP packet include:
l l l
2.5.2 ip address
Function
Using the ip address command, you can set an IP address for an interface. Using the undo ip address command, you can delete an IP address of the interface.
Format
ip address ip-address net-mask [ sub ] undo ip address [ ip-address net-mask [ sub ] ]
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-51
2 Internetworking
Parameters
ip-address: specifies the IP address of an interface, in dotted-decimal format. By default, no IP address is set. net-mask: specifies the mask of the subnet, in dotted decimal format or the length of the IP mask.. sub: uses the configured subordinate IP address and mask to enable communications among different subnets.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
IP address is classified into five types, and users can select proper IP subnet as required. Moreover, in the case that part of the host address is composed of 0 or the entire host address is composed of 1, the address has some special use and can not used as ordinary IP address. The mask identifies the network number in an IP address. For example, the IP address of the Ethernet interface is 129.9.30.42 and the mask is 255.255.0.0, the network ID of this interface is 129.9.0.0 after the AND operation is performed on the IP address and the mask. Normally, one interface only needs to be configured with one IP address. However, to enable one interface of an Eudemon to connect to several subnets, one interface can be configured with several IP addresses. Among them, one is primary IP address, and others are secondary IP addresses. The relationship between the primary and secondary IP addresses is as follows:
l
The command undo ip address without parameters refers to deleting all the IP addresses of the interface. The command undo ip address ip-address net-mask refers to deleting the primary IP address and undo ip address ip-address net-mask sub refers to deleting the secondary address. All the secondary addresses must be deleted before deleting the primary IP address.
In addition, all the IP addresses assigned for the interfaces on an Eudemon cannot be located in the same subnet.
Examples
# Set the interface GigabitEthernet 0/0/0 with the primary IP address as 129.102.0.1, the secondary IP address is 202.38.160.1, and the mask of all subnets is 255.255.255.0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ip address 129.102.0.1 255.255.255.0 [Eudemon-GigabitEthernet0/0/0] ip address 202.38.160.1 255.255.255.0 sub
2 Internetworking
Function
Using the ip address unnumbered command, you can enable an interface to borrow IP addresses from other interfaces. Using the undo ip address unnumbered command, you can disable unnumbered IP addresses.
Format
ip address unnumbered interface interface-type interface-number undo ip address [ unnumbered ]
Parameters
interface-type interface-number: specifies the type and the number of the interface whose IP address is borrowed.
Views
Tunnel interface view, Virtual-Template interface view
Default Level
2: Configuration level
Usage Guidelines
By fault, the interface is disabled from borrowing an IP address from others. The ip address unnumbered command is used to enable the interfaces encapsulated with PPP, HDLC or frame relay or the Tunnel interface, to borrow IP addresses from Ethernet interfaces, loopback interfaces or other interfaces. Ethernet interfaces cannot borrow IP addresses from other interfaces. Configure routes manually on the interface that needs to borrow the IP address to implement interconnection among devices.
Examples
# Configure the interface Tunnel 1 encapsulated with PPP to borrow the IP address from GigabitEthernet 0/0/1.
<Eudemon> system-view [Eudemon] interface Tunnel 1 [Eudemon-Tunnel1] ip address unnumbered interface gigabitethernet 0/0/1
2 Internetworking
2.6.6 debugging arp packet 2.6.7 display arp 2.6.8 reset arp
Format
arp detect-times times undo arp detect-times
Parameters
times: specifies the aging detection times of ARP item. The value is an integer ranging from 0 to 10. By default, the value is 3.
Views
Ethernet interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the value is 3. The arp detect-times command can only be configured on a main interface. Before aging a dynamic ARP entry, the system performs detection. If no response updates this entry beyond the set detection times, this ARP entry is deleted. If the aging detection times are set to 0, the system does not perform detection but directly ages this ARP entry.
Examples
# Set the aging detection times of ARP entries to 5.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] arp detect-times 5
2 Internetworking
Function
Using the arp expire-time command, you can set the aging expire time of ARP entries. Using the undo arp expire-time command, you can restore the default setting.
Format
arp expire-time time undo arp expire-time
Parameters
time: specifies the aging expire time of ARP entries in a range of 60 to 1200 in seconds.
Views
Ethernet interface view
Default Level
2: Configuration level
Usage Guidelines
The arp expire-time command can only be configured on a main interface.
Examples
# Set the expire time of ARP entries to 600 seconds.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] arp expire-time 600
Format
arp-proxy enable undo arp-proxy enable
Parameters
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-55
2 Internetworking
Views
GigabitEthernet interface, sub interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the ARP proxy is disabled on the interface.
Examples
# Enable ARP proxy on sub interface GigabitEthernet 0/0/0.1.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0.1 [Eudemon-GigabitEthernet0/0/0.1] arp-proxy enable
Format
arp static ip-address mac-address [ vpn-instance vpn-instance ] [ vid vlan-id ] undo arp static ip-address [ vpn-instance vpn-instance ]
Parameters
ip-address: specifies an IP address of the ARP mapping entries in dotted decimal notation. vid vlan-id: VLAN ID. vpn-instance vpn-instance: name of the VPN instance. mac-address: specifies an Ethernet MAC address of ARP mapping entries. Its format is H-HH, in which H is a hexadecimal number with 1 to 4 bits.
Views
System view
Default Level
2: Configuration level
2-56 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
By default, the mapping table of the system ARP is empty and the address mapping can be obtained through dynamic ARP. Normally, ARP mapping table is maintained by dynamic ARP, and only in special situation manual configuration is needed. Besides, ARP mapping table is only used for LAN and WAN address resolution will apply other configurations or obtaining means such as the inverse address resolution of Frame Relay.
Examples
# Assign the Ethernet MAC address 00e0-fc01-0000 corresponding to the IP address 129.102.0.1.
<Eudemon> system-view [Eudemon] arp static 129.102.0.1 00e0-fc01-0000
Format
arp multi-mac-permit undo arp multi-mac-permit
Parameters
None
Views
Ethernet interface view
Default Level
2: Configuration level
Usage Guidelines
After this function is enabled, this interface and its sub-interface both can learn multicast ARP. By default, this function is disabled.
Examples
# Enable the learning capability of multicast MAC addresses on the interface GigabitEthernet 0/0/0.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-57
2 Internetworking
Format
debugging arp packet undo debugging arp packet
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Enable ARP packet debugging.
<Eudemon> debugging arp packet
Format
display arp interface interface-type interface-number [ vid vlan-id ] [ | { begin | include | exclude } text ] display arp [ network network-address ] [ network-mask ] [ dynamic | static ] [ | { begin | include | exclude } text ]
2-58 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
display arp [ dynamic | static ] [ | { begin | include | exclude } text ] display arp [ bridge ] [ vid vlan-id ] [ interface interface-type interface-number ] display arp [ vpn-instance { vpn-name | public } ] [ dynamic | static ] [ | { begin | include | exclude } text ]
Parameters
interface-type interface-number: displays ARP entries of the interface specified type and number. vid vlan-id: displays ARP entries of specified VLAN. static: displays static ARP entries. dynamic: displays dynamic ARP entries. network-address: specifies the number of the network. network-mask: specifies the network mask. text: specifies the information to be displayed through the regular expression. vpn-instance vpn-name: specifies the name of VPN instance. |: filters the output according to text. begin: displays all lines starting from the text. exclude: displays all lines excluding the text. include: displays the lines including the text. bridge: indicates the ARP through L3 forwarding in transparent mode. public: displays ARP entries of VPN 0.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
By default, all the ARP entries of the RSU are displayed. When viewing the ARP mapping table, the users with different rights can see different results. For example:
l
A super user can view all the configured ARP entries and view the ARP entries belonging to the specified VPN instance. When running the display arp command, a virtual user can view only the ARP rules of the VPN instance to which the virtual user belongs..
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-59
Issue 03 (2009-06-18)
2 Internetworking
When the virtual user runs the display arp command containing vpn-instance, the Eudemon displays the ARP entries of the specified VPN instance to which the user belongs. Otherwise, the prompt "Virtual configurer user can't access other VPN-Instance." is displayed.
Examples
# Display all static ARP entries.
<Eudemon> display arp IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN PVC 172.16.1.10 0005-5d85-d54e S 100 10.110.98.245 00e0-fc0a-a719 I GE1/0/2 10.110.98.1 00e0-fc08-0423 20 D GE1/0/2 172.16.1.1 00e0-fc07-86b1 I GE0/0/0 Quidway 172.16.1.2 00e0-fc07-8692 18 D GE0/0/0 Quidway -------------------------------------------------------------------Total:5 Dynamic:2 Static:1 Interface:2
Table 2-9 shows the description of the display arp command output. There are five mapping entries in the table. Take the fifth as an example: its IP address is172.16.1.2; MAC address is 00e0-fc07-8692; the entry can still keep valid for 18 minutes; it is obtained automatically through ARP; it is associated with GigabitEthernet0/0/0 and its VPN instance name is Quidway. Table 2-9 Description of the display arp command output Item IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VLAN PVC Description IP address. MAC address. Left keep-alive time of ARP entries. Type. Interface name. VLAN ID. Interface where the PVC resides and VPI/VCI.
Format
reset arp [ all | dynamic | static | interface interface-type interface-number | bridge ] reset arp bridge [ vid vlan-id ] [ interface interface-type interface-number ]
2-60 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
static: resets the static ARP entry. dynamic: resets the dynamic ARP entry. all: resets all ARP entries. interface: indicate the selected interface. interface-type interface-number: specifies the type and the number of an interface. bridge: clears the dynamic entries of the VLAN interface. vid vlan-id: specifies VLAN id. The value ranges from 1 to 4094.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
By default, the operation to RSU board is performed. When operation is performed to the specified interface, the interface type can only be Ethernet and only the dynamic entry can be deleted on the interface.
Examples
# Delete the static entry in the ARP mapping table on the main control board.
<Eudemon> reset arp static
# The following example deletes the dynamic entry in the ARP mapping table on GigabitEthernet 0/0/0.
<Eudemon> reset arp interface GigabitEthernet 0/0/0
2 Internetworking
Format
display ip host
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display all the host names and their IP addresses.
<Eudemon> display ip host Host Age h1 0 h2 0 Flags Address static 10.1.1.1 static 10.1.1.2
2.7.2 ip host
Function
Using the ip host command, you can assign the IP address corresponding to a host name. Using the undo ip host command, you can cancel the configuration.
Format
ip host host-name ip-address undo ip host host-name [ ip-address ]
Parameters
host-name: specifies the name of a host with 1 to 20 characters. ip-address: specifies the IP address corresponding to a host name in the format of X.X.X.X.
Views
System view
2-62 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, there is no host name and IP address. You can set up to 50 static domain name resolution entries.
Examples
# Assign the IP address corresponding to the host Eudemon1 as 10.110.0.1.
<Eudemon> system-view [Eudemon] ip host Eudemon1 10.110.0.1
2 Internetworking
2.8.17 dhcp server nbns-list (System View) 2.8.18 dhcp server netbios-type (Interface View) 2.8.19 dhcp server netbios-type (System View) 2.8.20 dhcp server option (Interface View) 2.8.21 dhcp server option (System View) 2.8.22 dhcp server ping 2.8.23 dhcp server static-bind 2.8.24 display dhcp relay address 2.8.25 display dhcp relay statistics 2.8.26 display dhcp server conflict 2.8.27 display dhcp server expired 2.8.28 display dhcp server free-ip 2.8.29 display dhcp server ip-in-use 2.8.30 display dhcp server statistics 2.8.31 display dhcp server tree 2.8.32 dns-list 2.8.33 domain-name 2.8.34 expired 2.8.35 gateway-list 2.8.36 ip relay address (Interface View) 2.8.37 ip relay address (System View) 2.8.38 ip relay address cycle 2.8.39 nbns-list 2.8.40 netbios-type 2.8.41 network (DHCP) 2.8.42 option 2.8.43 reset dhcp relay statistics 2.8.44 reset dhcp server conflict 2.8.45 reset dhcp server ip-in-use 2.8.46 reset dhcp server statistics 2.8.47 static-bind ip-address 2.8.48 static-bind mac-address
2-64
Issue 03 (2009-06-18)
2 Internetworking
Format
debugging dhcp relay { all | error | event | packet [ client mac mac-address ] } undo debugging dhcp relay { all | error | event | packet [ client mac mac-address ] }
Parameters
all: debugs all DHCP relays. error: indicates the unknown packet information or error information. event: debugs DHCP relay event. packet: indicates the packets of various protocols received by or sent from the DHCP relay. mac-address: specifies the MAC address of the DHCP client. It is in the format of H-H-H.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, disable the DHCP relay debugging. Before enabling the debugging of all the DHCP relay packets by running the debugging dhcp relay packet command, you need to disable the debugging of the DHCP relay packets with specified MAC addresses by running the debugging dhcp relay packet mac client command. Otherwise, only the debugging information of the HHCP relay packets with specified MAC address is displayed.
Examples
# Display the packets sent from the MAC address 0050-BA34-2117 to the DHCP server. This allows you to view all the packets sent by the client to require an IP address.
<Eudemon> debugging dhcp relay packet client mac 0050-ba34-2117
2 Internetworking
Function
Using the debugging dhcp server command, you can enable the DHCP server debugging. Using the undo debugging dhcp server command, you can disable the debugging.
Format
debugging dhcp server { all | error | event | packet } undo debugging dhcp server { all | error | event | packet }
Parameters
all: debugs all DHCP servers. error: debugs the DHCP server error, including the errors that occur during the DHCP packets processing and the addresses allocation. event: debugs the DHCP server events, including the address allocation and the timeout of ping check. packet: debugs the DHCP packet, including the packets received or transmitted by the DHCP server and the transmission and response of the ping packets.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, disable the DHCP server debugging. Use this command in the user view to debug the DHCP server, view the debugging information and locate the fault.
Examples
# Enable the DHCP server events debugging.
<Eudemon> debugging dhcp server event
2 Internetworking
Format
dhcp enable undo dhcp enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, enable DHCP. Use this command before configuring DHCP. Note that you must enable DHCP on both the DHCP server and the DHCP relay.
Examples
# Enable DHCP on the current Eudemon.
<Eudemon> system-view [Eudemon ] dhcp enable
Format
dhcp relay release client-ip-address mac-address [ server-ip-address ]
Parameters
client-ip-address: specifies the IP address of the DHCP client. mac-address: specifies the MAC address of the DHCP client. It is in the format of H-H-H. server-ip-address: specifies the IP address of the DHCP server.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-67
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Requesting to release the IP address 10.27.10.1.
<Eudemon> system-view [Eudemon] dhcp relay release 10.27.10.1 aaaa-aaaa-aaaa
Format
dhcp select { global | interface | relay } undo dhcp select
Parameters
global: transmits the DHCP packets to the local DHCP server that assigns addresses in the global address pool. interface: transmits the DHCP packets to the local DHCP server that assigns addresses in the interface address pool. relay: transmits the DHCP packets through the relay to the external DHCP server that assigns addresses.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the DHCP packets whose destination address is the local host are transmitted to the internal server. The internal server assigns addresses in the global address pool (in the global mode).
2-68 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# For the DHCP packets whose destination address is the local host, configure to assign the addresses in the interface address pool of the internal DHCP server.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] dhcp select interface
Format
dhcp select { global | interface | relay } { all | interface interface-type interface-number to interface-type interface-number } undo dhcp select { all | interface interface-type interface-number to interface-type interfacenumber }
Parameters
global: transmits the DHCP packets to the local DHCP server that assigns addresses in the global address pool. interface: transmits the DHCP packets to the local DHCP server that assigns addresses in the interface address pool. relay: transmits the DHCP packets through the relay to the external DHCP server assigns addresses. all: specifies all global address pools and interface address pools. interface-type interface-number: specifies the type and the number of the interface. to: connects two interfaces and indicates all interfaces (including the two interfaces) of the interface number between two interfaces.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the DHCP packets whose destination address is the local host are transmitted to the internal server to assign addresses in the global address pool (in the global mode).
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-69
2 Internetworking
Examples
# Configure the interfaces from GigabitEthernet0/0/0.1 to GigabitEthernet0/0/0.5 to assign addresses in the interface address pool on the internal server to the DHCP packets whose destination address is the local host.
<Eudemon> system-view [Eudemon] dhcp select interface interface GigabitEthernet 0/0/0.1 to GigabitEthernet 0/0/0.5
Format
dhcp server detect undo dhcp server detect
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the pseudo DHCP server detect function is disabled.
Examples
# Enable detecting the pseudo DHCP server.
<Eudemon> system-view [Eudemon] dhcp server detect
2 Internetworking
Using the undo dhcp server dns-list command, you can remove specifying the IP address of the DNS server.
Format
dhcp server dns-list ip-address & <1-8> undo dhcp server dns-list { ip-address | all }
Parameters
ip-address: specifies the IP address of the DNS server. In the command, you can configure up to eight IP addresses for the DNS servers. These IP addresses are separated by spaces. By default, no IP address of the DNS server is configured. all: all the IP addresses.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
Use this command to specify the IP address of the DNS server used by the DHCP client that connects with the local interface. In this way, the client can access the host through the domain name. At present, up to eight IP addresses of the DNS server can be configured in a DHCP address pool.
Examples
# Specify the DNS server 1.1.1.254 for the DHCP address pool interface on GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] dhcp server dns-list 1.1.1.254
Format
dhcp server dns-list ip-address & <1-8> { all | interface interface-type interface-number to interface-type interface-number }
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-71
2 Internetworking
undo dhcp server dns-list { ip-address | all } { all | interface interface-type interfacenumber to interface-type interface-number }
Parameters
ip-address: specifies the IP address of the DNS server. In the command, you can configure up to eight IP addresses for the DNS servers. These IP addresses are separated by spaces. By default, no IP address of the DNS server is configured. all: all the IP addresses. interface-type interface-number: specifies the type and the number of the interface. to: connects two interfaces and indicates all interfaces (including the two interfaces) of the interface number between two interfaces.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
At present, up to eight IP addresses of the DNS server can be configured in a DHCP address pool.
Examples
# Specify the DNS server 1.1.1.254 to assign the IP addresses in the DHCP address pools configured on interfaces from GE 0/0/0.1to GE 0/0/2.
<Eudemon> system-view [Eudemon] dhcp server dns-list 1.1.1.254 interface gigabitethernet 0/0/0 to gigabitethernet 0/0/2
Format
dhcp server domain-name domain-name undo dhcp server domain-name
2-72 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
domain-name: specifies the domain name that the DHCP server assigns to the client host. It is a string of 3 to 50 characters. By default, no domain name is assigned to the DHCP client.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the domain name of the DHCP address pools on the interfaces as eth1_0_0.com.cn.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] dhcp server domain-name eth1_0_0.com.cn
Format
dhcp server domain-name domain-name { all | interface interface-type interface-number to interface-type interface-number } undo dhcp server domain-name { all | interface interface-type interface-number to interfacetype interface-number }
Parameters
domain-name: specifies the domain name that the DHCP server assigns to the client host. It is a string of 3 to 50 characters. By default, no domain name is assigned to the DHCP client. all: indicates all global address pools and interface address pools. interface-type interface-number: specifies the interface type and the interface number. to: connects two sub-interfaces and indicates all sub-interfaces (including the two sub-interfaces) of the sub-interface number between two sub-interfaces.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-73
2 Internetworking
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the domain name of the DHCP address pools on the interfaces from GE 0/0/0 to GE 0/0/2 as ge0_1_2.com.cn.
<Eudemon> system-view [Eudemon] dhcp server domain-name ge0_1_2.com.cn interface gigabitethernet 0/0/0 to gigabitethernet 0/0/2
Format
dhcp server expired { day day { hour hour [ all | minute minute ] } | unlimited } undo dhcp server expired
Parameters
day day: specifies the days the validity lasts. The value ranges from 0 to 365. By default, it is one day. hour hour: specifies the hours the validity lasts. The value ranges from 0 to 23. minute minute: specifies the minutes the validity lasts. The value ranges from 0 to 59. unlimited: indicates the period of validity is unlimited.
Views
Interface view
Default Level
2: Configuration level
2-74 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
Different IP addresses of the hosts have different address leases. Use this command to configure the period of validity of the lease for the IP addresses in the DHCP address pool on the current interface.
Examples
# Configure an unlimited period of validity of the leases for IP addresses in the address pools on the interfaces from GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet 0/0/0] dhcp server expired unlimited
Format
dhcp server expired { day day { hour hour [ all | minute minute ] } | unlimited } { all | interface interface-type interface-number to interface-type interface-number } undo dhcp server expired { all | interface interface-type interface-number to interface-type interface-number }
Parameters
day day: specifies the days the validity lasts. The value ranges from 0 to 365. By default, it is one day. hour hour: specifies the hours the validity lasts. The value ranges from 0 to 23. minute minute: specifies the minutes the validity lasts. The value ranges from 0 to 59. unlimited: indicates the period of validity is unlimited. all: specifies all global address pools and interface address pools. interface-type interface-number: specifies the type and the number of the sub interface. to: connects two sub-interfaces and indicates all sub-interfaces (including the two sub-interfaces) of the sub-interface number between two sub-interfaces.
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-75
2 Internetworking
Usage Guidelines
None
Examples
# Configure an unlimited period of validity of the leases for IP addresses in the address pools on the interfaces from GE 0/0/0 to GE 0/0/2.
<Eudemon> system-view [Eudemon] dhcp server expired unlimited interface gigabitethernet 0/0/0 to gigabitethernet 0/0/2
Format
dhcp server forbidden-ip low-ip-address [ high-ip-address ] undo dhcp server forbidden-ip low-ip-address [ high-ip-address ]
Parameters
low-ip-address: specifies the start IP address in the address range that does not participate in auto-allocation. high-ip-address: specifies the maximum IP address that does not participate in auto-allocation. It is in the same segment with low-ip-address and should be larger than low-ip-address . If this parameter is not specified, there is only one IP address; that is, low-ip-address.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, all the IP addresses in address pools participate in auto-allocation. Use this command several times to set different IP address ranges that do not participate in autoallocation. When the undo dhcp server forbidden-ip command is used to delete the settings, the parameters must be identical to the configured ones and part of the configured address cannot be deleted.
2-76 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Reserve the IP addresses from 10.110.1.1 to 10.11.01.63 not to participate auto-allocation.
<Eudemon> system-view [Eudemon] dhcp server forbidden-ip 10.110.1.1 10.110.1.63
Format
dhcp server ip-pool pool-name undo dhcp server ip-pool pool-name
Parameters
pool-name: specifies the name of address pool. It is the unique identifier in the address pool. It is a string of 1 to 35 characters. By default, create no DHCP address pool.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
When using the dhcp server ip-pool pool-name command, you can enter the DHCP address pool view directly if the specified address pool exists. Otherwise, create an address pool first and then enter the DHCP address pool view.Each DHCP server can be configured with multiple address pools. At present, it supports 50 non-local address pools.
Examples
# Establish the DHCP address pool with the ID being 0.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0]
2 Internetworking
Function
Using the dhcp server nbns-list command, you can configure the IP address of the NetBIOS server address assigned by the DHCP address pool to its client. Using the undo dhcp server nbns-list command, you can delete the configuration.
Format
dhcp server nbns-list ip-address & <1-8> undo dhcp server nbns-list { ip-address | all }
Parameters
ip-address: specifies the IP address of NetBIOS server. Up to eight IP addresses can be configured in one command, and addresses are separated with space. all: indicates all global address pools and interface address pools.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, no NetBIOS address is configured. At present, each DHCP address pool can be associated with eight NetBIOS servers.
Examples
# Configure the DHCP address pool on GigabitEthernet 0/0/0 to allocate the NetBIOS server with the IP address as 10.12.1.99 to its clients.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] dhcp server nbns-list 10.12.1.99
2 Internetworking
Format
dhcp server nbns-list ip-address & <1-8> { all | interface interface-type interface-number to interface-type interface-number } undo dhcp server nbns-list { ip-address | all } { all | interface interface-type interfacenumber to interface-type interface-number }
Parameters
ip-address: specifies the IP address of NetBIOS server. Up to eight IP addresses can be configured in one command, and addresses are separated with space. all: indicates all global address pools and interface address pools. interface-type interface-number: specifies the type and the number of the sub interface. to: connects two sub-interfaces and indicates all sub-interfaces (including the two sub-interfaces) of the sub-interface number between two sub-interfaces.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, no NetBIOS address is configured. At present, each DHCP address pool can be associated with eight NetBIOS servers.
Examples
# Configure the DHCP address pools on the interfaces from GE 0/0/0 to GE 0/0/2 to allocate the NetBIOS with an IP address 10.12.1.99.
<Eudemon> system-view [Eudemon] dhcp server nbns-list 10.12.1.99 interface gigabitethernet 0/0/0 to gigabitethernet 0/0/2
Format
dhcp server netbios-type { b-node | h-node | m-node | p-node }
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-79
2 Internetworking
Parameters
b-node: indicates the broadcast mode, obtaining the mapping between the host name and the IP address. p-node: indicates the peer-to-peer mode. That is, the mapping relationship is obtained through the communication with the NetBIOS server. m-node: indicates the mixed mode, namely, the p-node with the broadcast feature. h-node: indicates the hybrid mode, namely, the b-node with the peer-to-peer communication mechanism.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, h-node s specified for the client. When the NetBIOS protocol is used on the WAN, the DHCP client needs to set the mapping between the host name and the IP address. After using this command, you cannot use the display current-configuration command to display the information. Instead, you can run the dhcp server netbios-type command recursively to display the information.
Examples
# Configure the DHCP address pool on GE 0/0/1 to allocate the p-node NetBIOS to the client.
<Eudemon> system-view [Eudemon] interface gigabitethernet 0/0/1 [Eudemon-GigabitEthernet0/0/1] dhcp server netbios-type p-node
Format
dhcp server netbios-type { b-node | h-node | m-node | p-node } { all | interface interfacetype interface-number to interface-type interface-number }
2-80 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
undo dhcp server netbios-type { b-node | h-node | m-node | p-node } { all | interface interfacetype interface-number to interface-type interface-number }
Parameters
b-node: indicates the broadcast mode, obtaining the mapping between the host name and the IP address. p-node: indicates the peer-to-peer mode. That is, the mapping relationship is obtained through the communication with the NetBIOS server. m-node: indicates the mixed mode, namely, the p-node with the broadcast feature. h-node: indicates the hybrid mode, namely, the b-node with the peer-to-peer communication mechanism. interface-type interface-number: specifies the type and the number of the sub interface. to: connects two sub-interfaces and indicates all sub-interfaces (including the two sub-interfaces) of the sub-interface number between two sub-interfaces. all: indicates all the interfaces.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, h-node s specified for the client. When the NetBIOS protocol is used on the WAN, the DHCP client needs to set the mapping between the host name and the IP address. After using this command, you cannot use the display current-configuration command to display the information. Instead, you can run the dhcp server netbios-type command recursively to display the information.
Examples
# Configure p-node NetBIOS to the client in the interface address pool from GigabitEthernet 0/0/0 to GigabitEthernet 0/0/2.
<Eudemon> system-view [Eudemon] dhcp server netbios-type p-node interface GigabitEthernet 0/0/0 to GigabitEthernet 0/0/2
2 Internetworking
Function
Using the dhcp server option command, you can configure the user-defined options of the DHCP address pool on the current interface. Using the undo dhcp server option command, you can delete the configuration.
Format
dhcp server option code { ascii ascii-string | hex hex-string &<1-10> | ip-address ipaddress &<1-8> } undo dhcp server option code
Parameters
code: specifies the value of the user-defined option. The value is an integer ranging from 2 to 254. ascii ascii-string: indicates the ASCII character string. ascii-string is a string of 1 to 63 characters. hex hex-string: indicates the hexadecimal number string of 2 bits or 4 bits (such as hh or hhhh). You can configure one to ten strings. ip-address ip-address: specifies the IP address enabled with the option function. You can configure one to eight IP addresses.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Define the hexadecimal number with code 100 being 0x11 and 0x22 for the DHCP address pool on GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] dhcp server option 100 hex 11 22
2 Internetworking
Using the undo dhcp server option command, you can delete the configuration.
Format
dhcp server option code { ascii ascii-string | hex hex-string &<1-10> | ip-address ipaddress &<1-8> } { all | interface interface-type interface-number1 to interface-type interfacenumber2 } undo dhcp server option code { all | interface interface-type interface-number to interfacetype interface-number }
Parameters
code: specifies the value of the user-defined option. The value is an integer ranging from 2 to 254. ascii ascii-string: indicates the ASCII character string. ascii-string is a string of 1 to 63 characters. hex hex-string: indicates the hexadecimal number string of 2 bits or 4 bits (such as hh or hhhh). You can configure one to ten strings. ip-address ip-address: specifies the IP address enabled with the option function. You can configure one to eight IP addresses. interface-type interface-number1: specifies the type and the number of the sub interface. to: connects two sub-interfaces and indicates all sub-interfaces (including the two sub-interfaces) of the sub-interface number between two sub-interfaces. all: indicates all global address pools and interface address pools.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Define the hexadecimal number with code 100 being 0x11 and 0x22 for the address pools on the interfaces from GE 0/0/0 to GE 0/0/2. GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] dhcp server option 100 hex 11 22 interface gigabitethernet 0/0/0 to gigabitethernet 0/0/2
2 Internetworking
Function
Using the dhcp server ping command, you can configure the maximum number and the longest response-wait time of the ping packets. Using the undo dhcp server ping command, you can restore the default.
Format
dhcp server ping { packets number | timeout interval } undo dhcp server ping { packets | timeout }
Parameters
packets number: specifies the maximum number of the ping packets to be sent. It is an integer ranging from 0 to 10. 0 indicates no ping operation. By default, it is 2. timeout interval: indicates the longest response-wait time of each ping packet in milliseconds. It is an integer ranging from 0 to 10000 milliseconds. By default, it is 500 milliseconds.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The DHCP server detects the utilization of the addresses by sending ping packets to avoid the address collision caused by the repeated allocation of IP addresses.
Examples
# Set the maximum number of the ping packets to be sent by the DHCP server to 10; set and the default value of the response-wait time to 500ms.
<Eudemon> system-view [Eudemon] dhcp server ping packets 10
Format
dhcp server static-bind ip-address ip-address mac-address mac-address
2-84 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
ip-address: specifies the IP address statically bound. It must be a valid IP address in the current interface address pool. mac-address: specifies the MAC address statically bound.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, static address binding is not configured in the interface address pool. IP address and MAC address must be unique in all the static address bindings on an interface.
NOTE
Address pools must be enabled on the interface; otherwise, the command cannot run.
Examples
# Statically bind the MAC address 0000-e03f-0305 with the IP address 10.1.1.1.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] dhcp server static-bind ip-address 10.1.1.1 macaddress 0000-e03f-0305
Format
display dhcp relay address [ interface interface-type interface-number | all ]
Parameters
interface-type interface-number: specifies the name and the number of the interface. all: indicates all the interfaces.
Views
All views
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-85
2 Internetworking
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the DHCP relay address configurations of all the interfaces.
<Eudemon> display dhcp relay address all ** GigabitEthernet0/0/0 DHCP Relay Address Relay Address [0] : 3.3.3.3 **
Format
display dhcp relay statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the statistics of the DHCP relay.
<Eudemon> display dhcp relay statistics Bad Packets received: DHCP packets received from clients: DHCP DISCOVER packets received: 0 0 0
2-86
Issue 03 (2009-06-18)
2 Internetworking
Format
display dhcp server conflict { all | ip ip-address }
Parameters
all: displays statistics on all conflict IP addresses. ip-address: specifies statistics on the specified conflict IP address.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the statistics of the DHCP address collision.
<Eudemon> display dhcp server conflict all Address Discover Time 10.110.1.2 Jan 11 2003 11:57: 7 PM
Table 2-10 shows the description of the display dhcp server conflict command output.
Issue 03 (2009-06-18)
2-87
2 Internetworking
Table 2-10 Description of the display dhcp server conflict command output Item Address Discover Time Description Conflicted IP addresses Discovered conflict time
Format
display dhcp server expired { ip ip-address | pool [ pool-name ] | interface [ interface-type interface-number ] | all }
Parameters
ip-address: specifies an expired IP address. pool-name: specifies the name of the global address pool. It is a string of 1 to 64 characters. If no pool name is specified, it indicates all global address pools. interface-type interface-number: specifies the address pool of the interface. The absence of the parameter means all the interface address pools. all: displays all expired IP addresses.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the expired lease in the DHCP address pool.
<Eudemon> display dhcp server expired all Global pool: IP address Hardware address Lease expiration 2.2.2.2 4444-4444-4444 NOT Used
Type Manual
2-88
Issue 03 (2009-06-18)
2 Internetworking
Lease expiration
Type
Table 2-11 shows the description of the display dhcp server expired command output. Table 2-11 Description of the display dhcp server expired command output Item Global pool: Interface pool: IP address Hardware address Lease expiration Type Description Information of the expired leasing contract in the global address pool Information of the expired leasing contract in the interface address pool Bound IP addresses Bound MAC addresses Time of the lease expiration Type of binding addresses
Format
display dhcp server free-ip
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the available address range of the DHCP address pool.
<Eudemon> display dhcp server free-ip IP Range from 1.0.0.0 to 2.2.2.1
Issue 03 (2009-06-18)
2-89
2 Internetworking
IP IP IP IP Range Range Range Range from from from from 2.2.2.3 4.0.0.0 5.5.5.0 5.5.5.2 to to to to
Table 2-12 shows the description of the display dhcp server free-ip command output. Table 2-12 Description of the display dhcp server free-ip command output Item IP Range from to Description Displays the address range of the DHCP address pool
Format
display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ interface-type interface-number ] all }
Parameters
ip-address: specifies the binding information of an IP address. If this parameter is not specified, the binding information of all the addresses is displayed. pool-name: specifies the binding information of a global address pool. It is a string of 1 to 64 characters. If this parameter is not specified, the binding information of all the global address pools is displayed. interface-type interface-number: specifies the binding information of an interface address pool. If this parameter is not specified, the binding information of all the interface address pools is displayed. all: displays all binding information of IP addresses.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Do as follows if no any specified optional parameter is specified:
2-90 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
In Ethernet interface view, display the binding information in the current interface address pool. In other views, display the binding information in all the address pools.
Examples
# Display the address binding information of the DHCP address pool.
<Eudemon> display dhcp server ip-in-use all Global pool: IP address Hardware address Lease expiration 2.2.2.2 44444-4444-4444 NOT Used Interface pool: IP address Hardware address Lease expiration 5.5.5.1 0050-ba28-930a Jun 5 2007 10:56: 7 AM
Table 2-13 shows the description of the display dhcp server ip-in-use command output. Table 2-13 Description of the display dhcp server ip-in-use command output Item Global pool Interface pool IP address Hardware address Lease expiration Type Description Information of the bound addresses in the global address pool Information of the bound addresses in the interface address pool Bound IP addresses Bound MAC addresses Tiem of the lease expiration Type of binding addresses
Format
display dhcp server statistics
Parameters
None
Views
All views
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-91
2 Internetworking
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the statistics of the DHCP server.
<Eudemon> display dhcp server Global Pool: Pool Number: Binding Auto: Manual: Expire: Interface Pool: Pool Number: Binding Auto: Manual: Expire: Boot Request: Dhcp Discover: Dhcp Request: Dhcp Decline: Dhcp Release: Dhcp Inform: Boot Reply: Dhcp Offer: Dhcp Ack: Dhcp Nak: Bad Messages: HA Message: BatchBackup send msg: BatchBackup recv msg: BatchBackup send lease: BatchBackup recv lease: statistics 5 0 1 0 1 1 0 0 6 1 4 0 1 0 4 1 3 0 0 0 0 0 0
Table 2-14 shows the description of the display dhcp server statistics command output. Table 2-14 Description of the display dhcp server statistics command output Item Global Pool Interface Pool Pool Number Auto Manual Expire Boot Request Description Statistics on the global address pools Statistics on the interface address pools Number of the address pools Number of the auto-bound IP addresses Number of the manual-bound IP addresses Number of the expired IP addresses Number of the messages that the DHCP clients send to the DHCP server
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2-92
2 Internetworking
Item Dhcp Discover, Dhcp Request, Dhcp Decline, Dhcp Release, Dhcp Inform Boot Reply Dhcp Offer, Dhcp Ack, Dhcp Nak Bad Messages BatchBackup send msg BatchBackup recv msg BatchBackup send lease BatchBackup recv lease
Description Statistics on the received DHCP packets Number of the messages that the DHCP server sends to the DHCP clients Statistics on the sent DHCP packets Statistics on the error packets HA messages sent by the main board during the batch backup HA messages received by the standby board during the batch backup Lease messages sent by the main board during the batch backup Lease messages received by the standby board during the batch backup
Address pools of each node Option parameters valid period of address lease DNS server
Format
display dhcp server tree { pool [ pool-name ] | interface [ interface-type interface-number ] | all }
Parameters
pool-name: specifies the name of the global address pool. It is a string of 1 to 64 characters. The absence of the parameter means all the global address pools. interface-type interface-number: specifies the name of the interface address pool. The absence of the parameter means all the interface address pools. all: indicates all the DHCP address pools.
Issue 03 (2009-06-18)
2-93
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the tree-structure information of the DHCP address pools.
<Eudemon> display dhcp server tree all Global pool: Pool name: 5 network 1.1.1.0 mask 255.255.255.0 Child node:6 Sibling node:7 option 1 ip-address 255.0.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 6 host 10.10.1.2 255.0.0.0 hardware-address 1111.2222.3333 gigabitethernet Parent node:5 option 1 ip-address 255.255.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 7 network 10.10.1.64 255.255.255.192 PrevSibling node:5 Sibling node:8 option 1 ip-address 255.0.0.0 expired unlimited Pool name: 8 network 20.10.1.1 255.255.255.0 Child node:9 PrevSibling node:7 option 1 ip-address 255.0.0.0 gateway-list 2.2.2.2 nbns-list 3.3.3.3 netbios-type m-node expired 2 0 0 option 58 hex 00 01 51 80 option 59 hex 00 00 00 3C Pool name: 9 network 30.10.1.64 255.255.255.0 Parent node:8 option 1 ip-address 255.0.0.0 gateway-list 2.2.2.2 dns-list 1.1.1.1 domain-name 444444 nbns-list 3.3.3.3 netbios-type m-node expired 2 0 0 option 58 hex 00 01 51 80 option 59 hex 00 00 00 3C Interface pool: Pool name: Ethernet11/2/0 network 5.5.5.0 mask 255.255.255.0 option 1 ip-address 255.255.255.0 gateway-list 5.5.5.5 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C
2-94
Issue 03 (2009-06-18)
2 Internetworking
Table 2-15 shows the description of the display dhcp server tree command output. Table 2-15 Description of the display dhcp server tree command output Item Global pool Interface pool Pool Name network host 10.10.1.2 255.0.0.0 hardware-address 1111.2222.3333 ethernet child node:6 The child node of the node is address pool 6. The type of the nodes that may exist here covers: Child node: The address pool of the child node (sub-network). Parent node: The address pool of the parent node (natural network segment). Sibling node: Next sibling node (other subnets in the same natural segment) address pool of this node. The sequence between the sibling nodes is based on the configuration sequence. PrevSibling node: Previous sibling node of this node. option expired gateway-list dns-list domain-name nbns-list netbios-type User-defined DHCP options Valid period of address lease, represented by days, hours and minutes The gateway router assigned to the DHCP client DNS server assigned to the DHCP client Domain name specified for the DHCP client NetBIOS server assigned to the DHCP client NetBIOS node type specified for the DHCP client Description Information of the global address pools Information of the interface address pools Name of the address pools Range of the assignable addresses Static bound IP addresses and MAC addresses
2.8.32 dns-list
Function
Using the dns-list command, you can assign an IP address in the global DHCP address pool to the DNS server of the client.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-95
2 Internetworking
Using the undo dns-list command, you can cancel the configuration.
Format
dns-list ip-address &<1-8> undo dns-list { ip-address | all }
Parameters
ip-address: specifies the IP address of DNS. Up to 8 IP addresses can be configured through a command, separated by spaces. all: indicates deleting all IP addresses (in the global DHCP address pool) allocated for the DNS server of the client.
Views
DHCP address pool view
Default Level
2: Configuration level
Usage Guidelines
By default, no IP address of DNS server is configured. You can configure up to eight IP addresses of the DNS servers in each DHCP address pool.
Examples
# Specify 1.1.1.254 as the IP address of the DNS server for DHCP address pool 0.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0] dns-list 1.1.1.254
2.8.33 domain-name
Function
Using the domain-name command, you can configure the domain name assigned by a global address pool of the DNS server to clients. Using the undo domain-name command, you can remove the assigned domain name.
Format
domain-name domain-name undo domain-name
2-96 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
domain-name: specifies the domain name that the DHCP server assigns to clients. It is a string of 3 to 50 characters.
Views
DHCP address pool view
Default Level
2: Configuration level
Usage Guidelines
By default, no domain name is assigned to DHCP clients and the domain name is null.
Examples
# Set the domain name to mydomain.com.cn for DHCP address pool 0.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0] domain-name mydomain.com.cn
2.8.34 expired
Function
Using the expired command, you can configure the lease for addresses in a global DHCP address pool. Using the undo expired command, you can restore the default setting.
Format
expired { day day [ hour hour [ minute minute ] ] | unlimited } undo expired
Parameters
day day: specifies the number of days. The value ranges from 0 to 365. By default, the value is 1 day. hour hour: specifies the number of hours. The value ranges from 0 to 23. By default, the value is 0. minute minute: specifies the number of hours. The value ranges from 0 to 59. By default, the value is 0. unlimited: indicates the unlimited valid period.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-97
2 Internetworking
Views
DHCP address pool view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the leases of IP addresses in the global address pool 0 to one day, two hours and three minutes.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0] expired day 1 hour 2 minute 3
2.8.35 gateway-list
Function
Using the gateway-list command, you can configure the IP address of the gateway firewall used by DHCP clients. Using the undo gateway-list command, you can remove the configuration.
Format
gateway-list ip-address & <1-8> undo gateway-list { ip-address | all }
Parameters
ip-address: specifies the IP address of the gateway firewall. You can configure a maximum of eight IP addresses in a command and separate them with spaces. all: indicates the IP addresses of all gateway firewalls.
Views
DHCP address pool view
Default Level
2: Configuration level
Usage Guidelines
By default, no gateway firewall is configured.
2-98 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Associate the gateway firewall at 10.110.1.99 with the DHCP address pool 0.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0] gateway-list 10.110.1.99
Format
ip relay address ip-address undo ip relay address { ip-address | all}
Parameters
ip-address: specifies the IP relay address of the DHCP server. It is in dotted decimal notation. By default, no relay address is configured on any Ethernet interface. all: indicates all global address pools and interface address pools.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
The IP relay address indicates the IP address of the DHCP server specified on the device enabled with DHCP relay.
NOTE
In some periods of the DHCP configuration, the DHCP client sends broadcast packets; therefore, interfaces configured with relay addresses should support the broadcast mode; that is, ip relay address command only applies on interfaces supporting broadcast, such as the Ethernet interface.
Examples
# Add a relay IP address for the interface GigabitEthernet0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet 0/0/0] ip relay address 202.38.1.2 [Eudemon-GigabitEthernet 0/0/0] ip relay address 202.38.1.3
Issue 03 (2009-06-18)
2-99
2 Internetworking
Format
ip relay address ip-address { all | interface interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ] | interface interface-type interface-number } undo ip relay address { ip-address | all} { all | interface interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ] | interface interface-type interface-number }
Parameters
ip-address: specifies the IP relay address of the DHCP server. It is in dotted decimal notation. By default, no relay address is configured on any Ethernet interface. interface-type sub-interface-number1 [ to interface-type sub-interface-number2 ]: uses the keyword "to" to connect two sub-interfaces. It indicates that the sub-interface number is all the sub-interfaces (including these two sub-interfaces) between two interfaces. all: indicates all global address pools and interface address pools.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Use this command, you can configure multiple relay addresses on the Ethernet interface for transparent forwarding.
NOTE
In some periods of the DHCP configuration, the DHCP client sends broadcast packets; therefore, interfaces configured with relay addresses should support the broadcast mode; that is, ip relay address command only applies on interfaces supporting broadcast, such as the Ethernet interface.
Examples
# Add a relay IP address for the interfaces between GE 0/0/0 and GE 0/0/2.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon] ip relay address 202.38.1.2 interface gigabitethernet 0/0/0 to gigabitethernet 0/0/2
2-100
Issue 03 (2009-06-18)
2 Internetworking
Format
ip relay address cycle undo ip relay address cycle
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the mode is broadcast. Suppose there are three clients: A, B and C, and three relay addresses are set on the DHCP relay server: S1, S2 and S3. If DHCP relay adopts polling mode, client A uses S1; client B uses S2; client C uses S3. If A restarts, A continues to use S1 and if the fourth client starts, the fourth client uses S1, and cycling operates in this way.
Examples
# Set DHCP relay to polling mode.
<Eudemon> system-view [Eudemon] ip relay address cycle
2.8.39 nbns-list
Function
Using the nbns-list command, you can configure the IP address of the NetBIOS server for the clients of a global DHCP address pool. Using the undo nbns-list command, you can remove the configured IP address of the NetBIOS serve.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-101
2 Internetworking
Format
nbns-list ip-address &<1-8> undo nbns-list { ip-address | all }
Parameters
ip-address: specifies the IP address of NetBIOS server. You can configure up to eight IP addresses in a command and separate them with spaces. By default, no IP address of the NetBIOS server is configured. all: specifies the IP addresses of all the NetBIOS servers.
Views
DHCP address pool view
Default Level
2: Configuration level
Usage Guidelines
At present, you can configure up to eight NetBIOS servers for each DHCP address pool.
Examples
# Specify the NetBIOS server at 10.12.1.99 for the clients of DHCP address pool 0.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0] nbns-list 10.12.1.99
2.8.40 netbios-type
Function
Using the netbios-type command, you can configure the NetBIOS node type of the clients of a global DHCP address pool. Using the undo netbios-type command, you can restore the default setting.
Format
netbios-type { b-node | h-node | m-node | p-node } undo netbios-type
Parameters
b-node: indicates the broadcast mode. That is, the mapping between the host name and IP address are obtained by means of broadcast.
2-102 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
p-node: indicates the peer-to-peer mode. That is, mappings are obtained by means of communicating with the NetBIOS server. m-node: indicates the mixed (m) mode, namely, the p-node with the broadcast feature. h-node: indicates the hybrid (h) mode, namely, the b-node with the peer-to-peer communication mechanism.
Views
DHCP address pool view
Default Level
2: Configuration level
Usage Guidelines
By default, NetBIOS node type is specified as h-node.
Examples
# Specify the b-node NetBIOS server for the clients of DHCP address pool 0.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0] netbios-type b-node
Format
network ip-address [ mask netmask ] undo network
Parameters
ip-address: specifies the subnet address of the IP address pool used for dynamic allocation. mask netmask: indicates the network mask of the IP address pool. Natural mask is adopted if the parameter is not specified.
Views
DHCP address pool view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-103
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, no IP address range is configured for dynamic address allocation. Addresses in each DHCP address pool must in the same network segment. The newly configured segment supersedes the original one. If the system requires several such address segments, you can configure them in multiple address pools.
Examples
# Set an address range 192.168.8.0/24 for the DHCP address pool 0.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0] network 192.168.8.0 mask 255.255.255.0
2.8.42 option
Function
Using the option command, you can configure the self-defined options for a DHCP global address pool. Using the undo option command, you can delete the self-defined DHCP options.
Format
option code { ascii ascii-string | hex hex-string & <1-10> | ip-address ip-address & <1-8> } undo option code
Parameters
code: specifies the value of the self-defined options. It is an integer ranging from 2 to 254. ascii ascii-string: specifies an ASCII string. It is an integer ranging from 1 to 63. hex hex-string: specifies a 2-digit or 4-digit hexadecimal string, such as hh or hhhh. ip-address ip-address & <1-8>: specifies an IP address. You can configure up to eight IP addresses.
Views
DHCP address pool view
Default Level
2: Configuration level
2-104 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
New options appear along with the development of DHCP. To accommodate these options, you can add them manually to the attribute list of the DHCP server.
Examples
# Define the hexadecimal numbers of code 100 to 0x11 and 0x22.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0] option 100 hex 11 22
Format
reset dhcp relay statistics
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Clear the DHCP relay statistics.
<Eudemon> reset dhcp relay statistics
2 Internetworking
Format
reset dhcp server conflict { ip ip-address | all }
Parameters
ip ip-address: indicates the conflicting IP addresses. all: indicates all the conflicting IP addresses in the address pool.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Clear all the statistical information about address conflicts.
<Eudemon> reset dhcp server conflict all
Format
reset dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ interface-type interface-number ] | all }
Parameters
ip ip-address: specifies the binding information of a specified IP address. pool-name: specifies a global address pool. It is a string of 1 to 64 characters. If no name is specified, it indicates all global address pools. interface-type interface-number: specifies an interface address pool. If no interface is specified, it applies to all the interface address pools. all: indicates all the address pools.
2-106 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Clear the binding information of the address 10.110.1.1.
<Eudemon> reset dhcp server ip-in-use ip 10.110.1.1
Format
reset dhcp server statistics
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Clear the statistics of the DHCP server.
<Eudemon> reset dhcp server statistics
Issue 03 (2009-06-18)
2-107
2 Internetworking
Format
static-bind ip-address ip-address [ mask netmask ] undo static-bind ip-address
Parameters
ip-address: specifies the IP address to be bound. By default, no IP address is bound statically. netmask: specifies the mask of the IP address to be bound. If it is not specified, the natural mask is adopted.
Views
DHCP address pool view
Default Level
2: Configuration level
Usage Guidelines
Use the static-bind ip-address and static-bind mac-address commands to configure the bound IP address and the bound MAC address respectively.
Examples
# Bind the PC whose MAC address is 0000-e03f-0305 with the IP address 10.1.1.1. The mask is 255.255.255.0.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 1 [Eudemon-dhcp-1] static-bind ip-address 10.1.1.1 mask 255.255.255.0 [Eudemon-dhcp-1] static-bind mac-address 0000-e03f-0305
2 Internetworking
Format
static-bind mac-address mac-address undo static-bind mac-address
Parameters
mac-address: specifies the host MAC address to be bound. It is in the format of H-H-H.
Views
DHCP address pool view
Default Level
2: Configuration level
Usage Guidelines
By default, no MAC address is bound statically. The static-bind mac-address and static-bind ip-address commands must be used together to configure the bound MAC address and IP address respectively.
Examples
# Bind the PC whose MAC address is 0000-e03f-0305 with an IP address 10.1.1.1. The mask is 255.255.255.0.
<Eudemon> system-view [Eudemon] dhcp server ip-pool 0 [Eudemon-dhcp-0] static-bind ip-address 10.1.1.1 mask 255.255.255.0 [Eudemon-dhcp-0] static-bind mac-address 0000-e03f-0305
2 Internetworking
2.9.12 display icmp statistics 2.9.13 display ip socket 2.9.14 display ip statistics 2.9.15 display tcp statistics 2.9.16 display tcp status 2.9.17 display udp statistics 2.9.18 reset tcp statistics 2.9.19 reset udp statistics 2.9.20 tcp timer fin-timeout 2.9.21 tcp timer syn-timeout 2.9.22 tcp window
2.9.1 debugging ip
Function
Using the debugging ip packet command, you can enable the IP debugging. To filter debugging information, you can use acl to filter IP packets. Using the undo debugging ip packet command, you can disable the IP debugging. Using the debugging ip icmp command, you can enable the ICMP debugging. Using the undo debugging ip icmp command, you can disable the ICMP debugging. Using the debugging ip policy command, you can enable the debugging of policy-based routing. Using the undo debugging ip policy command, you can disable the debugging of policy-based routing. Using the debugging ip rtpro command, you can enable the debugging of routing protocol. Using the undo debugging ip rtpro command, you can disable the debugging of routing protocol. Using the debugging ip multicast-policy command, you can enable the debugging of multicast policy-based routing. Using the undo debugging ip multicast-policy command, you can disable the debugging of multicast policy-based routing.
Format
debugging ip { packet [ acl acl-number ] | icmp | policy | rtpro { interface | kernel | routing | task [ task | timer ] } | multicast-policy } undo debugging ip { packet | icmp | policy | rtpro [ interface | kernel | routing | task [ task | timer ] ] | multicast-policy }
2-110 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
acl-number: specifies ACL in a range of 2000 to 3999. ACL numbered 2000 to 2999 refers to the basic ACL, and ACL numbered 3000 to 3999 refers to the advanced ACL. task: indicates debugging task scheduling of routing protocols. timer: indicates debugging the timer of routing protocols. interface: indicates debugging the interface of routing protocols. kernel: indicates debugging the kernel of routing protocols. routing: indicates debugging the route table of routing protocols.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Enable IP debugging.
<Eudemon> debugging ip packet
Format
debugging tcp event [ task-id socket-id ] undo debugging tcp event [ task-id socket-id ]
Parameters
task-id: specifies the ID of a task. The value is an integer ranging from 1 to 100. socket-id: specifies the ID of a socket. The value is an integer ranging from 1 to 3072.
Views
User view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-111
2 Internetworking
Default Level
1: Monitoring level
Usage Guidelines
The number of the debugging functions that you can enable is limited; that is, you can enable fixed number of debugging switches (the combination of a task ID and a socket ID) at a time. In addition, when TCP is enabled to receive connection request reactively, a new socket is created to establish that connection, and some programs create a new task to process the connection, like Telnet server. Thus to view information about connection, such parameters as task-id and socket-id cannot be used for filtering.
Examples
# Enable debugging of TCP events.
<Eudemon> debugging tcp event
Format
debugging tcp packet [ task-id socket-id ] undo debugging tcp packet [ task-id socket-id ]
Parameters
task-id: specifies the ID of a task. The value is an integer ranging from 1 to 100. socket-id: specifies the ID of a socket. The value is an integer ranging from 0 to 3072.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
2-112 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Enable the debugging of TCP connection.
<Eudemon> debugging tcp packet
Format
debugging udp packet [ task-id socket-id ] undo debugging udp packet [ task-id socket-id ]
Parameters
task-id: specifies the ID of a task. The value is an integer ranging from 1 to 100. socket-id: specifies the ID of a socket. The value is an integer ranging from 1 to 3072.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Enable the debugging of UDP connection.
<Eudemon> debugging udp packet
2 Internetworking
Format
debugging tcp md5 undo debugging tcp md5
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Enable TCP MD5 authentication debugging.
<Eudemon> debugging tcp md5
Format
display fib
Parameters
None
Views
All views
Default Level
1: Monitoring level
2-114 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
This command outputs FIB in a list, in which each line represents one route. It involves:
l l l
Destination address/Mask length Next hop Current flag, which is the combination of G, H, U and S. G indicates that the next hop is a gateway; H indicates that the next hop is a host; U indicates that the route status is Up (available) and S refers to static route. TimeStamp Output interface
l l
Examples
# Display FIB.
<Eudemon> display fib Destination/Mask Nexthop 172.16.0.0/16 172.16.0.1 66.1.2.0/24 5.5.5.1 66.1.3.0/24 5.5.5.1 192.168.1.0/24 5.5.5.1 5.0.0.0/8 5.5.5.2 172.16.0.1/32 127.0.0.1 5.5.5.2/32 127.0.0.1 127.0.0.0/8 127.0.0.1 Flag U GSU GSU GSU U GHU GHU U TimeStamp t[0] t[0] t[0] t[0] t[0] t[0] t[0] t[0] Interface GigabitEthernet0/0/1 GigabitEthernet0/0/0 GigabitEthernet0/0/0 GigabitEthernet0/0/0 GigabitEthernet0/0/0 InLoopBack0 InLoopBack0 InLoopBack0
2.9.6 display fib shows the description of the display fib command output. Table 2-16 Description of the display fib command output Item Destination/ Mask Nexthop Flag Description Destination address/Mask length Next hop Current flag, which is the combination of G, H, U and S:
l l l l
G indicates that the next hop is a gateway. H indicates that the next hop is a host. U indicates that the route status is Up. S refers to static route.
TimeStamp Interface
Issue 03 (2009-06-18)
2-115
2 Internetworking
Function
Using the display fib | command, you can output the lines related to the line containing the character string text in the buffer based on the regular expression.
Format
display fib | { begin | include | exclude } text
Parameters
text: specifies a character string for the regular expression. begin: displays all lines starting from text. exclude: displays all lines excluding text. include: displays the lines including text.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Using this command, you can output the lines related to the line containing the character string text in the buffer based on the regular expression. Using the display fib | begin text command, you can view the lines beginning from the line including the character string text to the end line of the buffer. Using the display fib | include text command, you can just view the lines including the character string text. Using the display fib | exclude text command, you can view the lines excluding the character string text.
Examples
# Display the lines beginning from the line including the character string "169.254.0.0" to the end line of the buffer.
<Eudemon> display fib | begin 169.254.0.0 Destination/Mask Nexthop Flag TimeStamp 169.254.0.0/16 2.1.1.1 U t[0] 2.0.0.0/16 2.1.1.1 U t[0] 127.0.0.0/8 127.0.0.1 U t[0] Interface GigabitEthernet0/0/0 GigabitEthernet0/0/0 InLoopBack0
2-116
Issue 03 (2009-06-18)
2 Internetworking
Table 2-17 shows the description of the display fib | command output. Table 2-17 Description of the display fib | command output Item Destination/Mask Nexthop Flag Description Destination address or mask length. Address of the next hop Current flag, which is the combination of G, H, U and S:
l l l l
G indicates that the next hop is a gateway. H indicates that the next hop is a host. U indicates that the route status is up. S refers to static route.
TimeStamp Interface
Format
display fib acl acl-number [ ip-prefix list-name ] [ statistic ] [ | { begin | exclude | include } text ]
Parameters
acl-number: specifies the ACL number. The value is an integer ranging from 2000 to 2999. list-name: specifies the name of a prefix list. It is a string of 1 to 19 characters. text: specifies a character string for the regular expression. begin: displays all lines starting from text. exclude: displays all lines excluding text. include: displays the lines including text.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-117
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
A standard ACL name must be input if the ACL is expressed in name; otherwise, the system prompts an abnormal entering. When the ACL name or number ranging from 2000 to 2999 is entered, the corresponding ACL is searched. If no ACL is found, all FIB table entries information is displayed; and if such an ACL is found, the FIB table entries information is displayed in a format. If the number of FIB table entries matching the filtering rules is 0, the following information is displayed:
Route entry matched by access-list 2002: Summary count: 0
If the number of FIB table entries matching the filtering rules is not 0, the FIB table entry is displayed in the following format:
Route entry matched by access-list 2001: Summary count: 1 Destination/Mask Nexthop Flag TimeStamp 127.0.0.0/8 127.0.0.1 U t[0]
Interface InLoopBack0
Examples
# Display the FIB table entries matched by the ACL.
<Eudemon> display fib acl 2010 Route entry matched by access-list 2010: Summary counts: 1 Destination/Mask Nexthop Flag TimeStamp 127.0.0.0/8 127.0.0.1 U t[0]
Interface InLoopBack0
2.9.8 display fib acl shows the description of the display fib acl command output. Table 2-18 Description of the display fib acl command output Item Destination/Mask Nexthop Flag Descripiton Destination address or mask length. Nexthop address. Current flag, which is the combination of G, H, U and S:
l l l l
G indicates that the next hop is a gateway. H indicates that the next hop is a host. U indicates that the route status is Up. S refers to static route.
TimeStamp
2-118
2 Internetworking
Item Interface
Format
display fib ip-prefix list-name
Parameters
list-name: specifies the name of a prefix list. It is a string of 1 to 19 characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If no FIB table entry matching the prefix list, the prompt displays that the number of FIB entry matched by the prefix list is 0; if the FIB table entries after filtering is not 0, they are displayed in a format. If no FIB table entry matching the prefix list, the following information is displayed:
Route entry matched by prefix-list abc1: Summary count: 0
If the number of FIB table entries after filtering is not 0, FIB table entry is displayed in the following format:
Route entry matched by prefix-list abc2: Summary count: 1 Destination/Mask Nexthop Flag TimeStamp 127.0.0.0/8 127.0.0.1 U t[0]
Interface InLoopBack0
Examples
# Display the FIB table entries matched by the prefix list abc0.
<Eudemon> display fib ip-prefix abc0 Route Entry matched by prefix-list abc0: Summary count: 4 Destination/Mask Nexthop Flag TimeStamp
Interface
Issue 03 (2009-06-18)
2-119
2 Internetworking
127.0.0.0/8 127.0.0.1/32 169.0.0.0/8 169.0.0.0/16 127.0.0.1 127.0.0.1 2.1.1.1 2.1.1.1 U U SU SU
2.9.9 display fib ip-prefix shows the description of the display fib ip-prefix command output. Table 2-19 Description of the display fib ip-prefix command output Item Destination/Mask Nexthop Flag Description Destination address/Mask length Next hop Current flag, which is the combination of G, H, U and S:
l l l l
G indicates that the next hop is a gateway. H indicates that the next hop is a host. U indicates that the route status is Up. S refers to static route.
TimeStamp Interface
Format
display fib dest-address1 dest-mask1 [ longer ] display fib dest-address1 dest-mask1 dest-address2 dest-mask2
Parameters
dest-address1: specifies destination IP address 1 in dotted decimal format. dest-mask1: specifies subnet mask 1 corresponding to the destination IP address 1, which is the mask in dotted decimal format or the mask length in integer format. dest-address2: specifies the destination IP address 2, which is expressed in dotted decimal format.
2-120 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
dest-mask2: specifies the subnet mask 2 corresponding to the destination IP address 2, which is the mask in dotted decimal format or the mask length in integer format.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Selecting different parameters leads to different matching methods. The display fib dest-addresscommand displays according to the destination address, if FIB table entries can be found within the range of natural mask, all the subnets are displayed. Otherwise, only the FIB table entries found by operating the longest match is displayed. The display fib dest-address dest-mask command displays the FIB table entries exactly matching the destination address and mask. The display fib dest-address longer command displays the FIB table entries matching the destination addresses within the range of natural mask. The display fib dest-address dest-mask longer command displays the FIB table entries matching the destination IP addresses within the entered mask range. The display fib dest-address1 dest-mask1 dest-address2 dest-mask2 command displays FIB table entries whose destination address is within the range from dest-addr1 dest-mask1 to destaddr2 dest-mask2.
Examples
# Display the FIB table entries whose destination address matches 169.253.0.0 longest with the natural mask range.
<Eudemon> display fib 169.253.0.0 Destination/Mask Nexthop Flag 169.0.0.0/8 2.1.1.1 U TimeStamp t[0] Interface GigabitEthernet0/0/0
# Display the FIB entries whose destination address is within the range from 69.254.0.0/16 to 169.254.0.6/16.
<Eudemon> display fib 169.254.0.0 255.255.0.0 169.254.0.6 255.255.0.0 Destination/Mask Nexthop Flag TimeStamp Interface 169.254.0.1/8 2.1.1.1 U t[0] GigabitEthernet0/0/0
2.9.10 display fib longer shows the description of the display fib longer command output. Table 2-20 Description of the display fib longer command output Item Destination/ Mask Nexthop
Issue 03 (2009-06-18)
2 Internetworking
Item Flag
G indicates that the next hop is a gateway. H indicates that the next hop is a host. U indicates that the route status is Up. S refers to static route.
TimeStamp Interface
Format
display fib statistics [ | { begin | exclude | include } text ]
Parameters
|: uses the regular expression to filter the output information. begin: outputs information from the row with the matched string. exclude: outputs the row containing no matched string only. include: outputs only the row containing the matched string. text: performs the matched regular expression on the output.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the total number of FIB table entries.
2-122 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
2.9.11 display fib statistics shows the description of the display fib statistics command output. Table 2-21 Description of the display fib statistics command output Item Route Entry Count : 30 Description Total number of FIB table entries.
Format
display icmp statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the statistics of the ICMP traffic.
<Eudemon> display tcp statistics Input: bad formats 0 bad checksum echo 0 destination unreachable source quench 0 redirects echo reply 0 parameter problem timestamp 0 information request mask requests 0 mask replies time exceeded 0 Output:echo 0 destination unreachable source quench 0 redirects echo reply 0 parameter problem 0 0 0 0 0 0 333594 0 0
Issue 03 (2009-06-18)
2-123
2 Internetworking
timestamp mask requests time exceeded 0 0 34249
2.9.12 display icmp statistics shows the description of the display icmp statistics command output. Table 2-22 Description of the display icmp statistic command output Item Input Output bad formats bad checksum echo destination unreachable source quench redirects echo reply parameter problem timestamp information request mask requests mask replies time exceeded Description Received packets Sent packets Number of packets with mistaken format Number of packets with mistaken checksum Number of echo request packets Number of unreachable packets Number of source quench packets Number of re-direction packets Number of echo reply packets Number of packets with mistaken parameters Number of timestamp request packets Number of information request packets Number of mask request packets Number of mask reply packets Number of timeout packets
Format
display ip socket [ socktype socket-type-value ] [ task-id socket-id ]
Parameters
socket-type-value: specifies the type of a socket: (TCP: 1, UDP: 2, RAW IP: 3). task-id: specifies the ID of a task. The value is an integer ranging from 1 to 100.
2-124 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
socket-id: specifies the ID of a socket. The value is an integer ranging from 0 to 3072.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the all the sockets.
<Eudemon> display ip socket SOCK_STREAM: Task = VTYD(9), socketid = 1, Proto = 6, LA = 0.0.0.0:23, FA = 0.0.0.0:0, sndbuf = 4096, rcvbuf = 4096, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN socket state = SS_PRIV SS_ASYNC SOCK_DGRAM: Task = ROUT(6), socketid = 1, Proto = 17, LA = 0.0.0.0:0, FA = 0.0.0.0:0, sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, socket option = SO_UDPCHECKSUM socket state = SS_PRIV SS_ASYNC SOCK_RAW: Task = ROUT(6), socketid = 2, Proto = 2, LA = 0.0.0.0, FA = 0.0.0.0, sndbuf = 32767, rcvbuf = 32767, sb_cc = 0, rb_cc = 0, socket option = 0, socket state = SS_PRIV SS_NBIO SS_ASYNC
2.9.13 display ip socket shows the description of the display ip socket command output. Table 2-23 Description of the display ip socket command output Item SOCK_STREAM Description The socket type, including:
l l l
The protocol number used by the socket. The sending buffer size of the socket. The receiving buffer size of the socket. The current data size in the sending buffer. The value makes sense only for the socket of TCP type, because only TCP is able to cache data.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-125
Issue 03 (2009-06-18)
2 Internetworking
Description The current data size in the receiving buffer. the option of the socket. the state of the socket.
Format
display ip statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the IP traffic statistics.
<Eudemon> display ip statistics Input: sum 0 bad protocol 0 bad checksum 0 TTL exceeded 0 local bad format bad options 0 0 0
2-126
Issue 03 (2009-06-18)
2 Internetworking
2.9.14 display ip statistics shows the description of the display ip statistics command output. Table 2-24 Description of the display ip statistics command output Item Input sum local bad protocol bad format bad checksum bad options TTL exceeded Output forwarding local dropped no route Fragment input output dropped fragmented couldn't fragment Reassembling:sum timeouts Description Number of received packets Total number of received packets Number of packets sent to the upper protocol Number of packets involved in unknown protocols Number of packets with mistaken format Number of packets with mistaken checksum Number of packets with mistaken options Number of discarded packets due to TTL timeout Number of sent packets Number of forwarded packets Number of generated packets Number of discarded packets Number of packets without a route Number of fragments Number of received fragments Number of created fragments Number of discarded fragments Number of successfully fragmented packets Number of packets incapable of fragmentation Number of successfully reassembled fragments Number of time-out fragments
2 Internetworking
Function
Using the display tcp statistics command, you can view TCP traffic statistics.
Format
display tcp statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The command is used to display the traffic statistic information of all the active TCP connections. Statistics information is classified into two parts: receiving and sending, and each part is further classified according to different types of packets. For example, for receiving packets, there are retransmission packets number, keep-alive detection packets number, etc. Also the statistics closely related to connection are displayed, such as connection number received, retransmission packets number and keep-alive detection packets number. The unit of statistics results is packet, and sometimes is byte.
Examples
# Display TCP traffic statistics.
<Eudemon> display tcp statistics Received packets: Total: 0 packets in sequence: 0 (0 bytes) window probe packets: 0, window update packets: 0 checksum error : 0, offset error: 0, short error: 0 duplicate packets : 0 (0 bytes), partially duplicate packets : 0(0 bytes) out-of-order packets : 0 (0 bytes) packets with data after window : 0 (0 bytes) packets after close : 0 ACK packets:0 (0 bytes), duplicate ack packets:0, ack packets with unsend data:0 Sent packets: Total: 0 urgent packets: 0 control packets: 0 ( 0 RST) window probe packets: 0, window update packets: 0 data packets : 0 (0 bytes), data packets retransmitted: 0 (0 bytes) ACK-only packets : 0(0 delayed) Retransmit timeout: 0, connections dropped in retransmit timeout: 0 Keepalive timeout: 0, keepalive probe: 0, dropped connections in keepalive: 0 Initiated connections: 0, accepted connections: 0,established connections: 0 Closed connections: 0,( dropped: 0, embryonic dropped: 0) Packet dropped packets with MD5 authentication : 0 Packet permitted packets with MD5 authentication : 0
2-128
Issue 03 (2009-06-18)
2 Internetworking
2.9.15 display tcp statistics shows the description of the display tcp statistics command output. Table 2-25 Description of the display tcp statistics output Item Received packets Total packets in sequence (bytes) window probe packets window update packets checksum error offset error short error duplicate packets (bytes) partially duplicate packets (bytes) out-of-order packets (bytes) packets of data after window (bytes) packets received after close ACK packets (bytes) duplicate ACK packets too much ACK packets Sent packets Total urgent packets control packets (RST) window probe packets Description Statistics of received data Total number of the received packets Number (total byte number) of the packets that arrive in sequence Number of window probe packets Number of window update packets Number of packets with mistaken checksum Number of packets with mistaken length Number of short packets Number of completely repeated packets (total byte number) Number of partly repeated packets (total byte number) Number of packets with mistaken sequence (total bytes) Number of unreachable packets (total byte number) Number of packets that arrive after the connection is closed Number of the acknowledged packets (the acknowledged data byte number) Number of the re-acknowledged packets Number of acknowledged ACK packets without transmitting data Statistics of sent packets Total number of the sent packets Number of the urgent data packets Number of control packets (the number of RST packets) Number of the window probe packets
Issue 03 (2009-06-18)
2-129
2 Internetworking
Item window update packets data packets data packets retransmitted (0 bytes) ACK only packets (delayed) Retransmitted timeout connections dropped in retransmitted timeout Keepalive timeout keepalive probe Keepalive timeout, so connections disconnected Initiated connections accepted connections established connections Closed connections (dropped, initiated dropped) Packets dropped with MD5 authentication Packets permitted with MD5 authentication
Description Number of the window update packets Number of the data packets (total byte number) Number of the retransmitted packets (total byte number) Number of the ACK packets (delayed) Number of timeout for the retransmission timer Number of dropped connections because their retransmission number exceeds the limit. Timeout time of the keepalive timer Number of the sent keepalive packets Number of the discarded connections because the keepalive probe fails Number of initiated connections Number of accepted connections Number of established connections Number of the closed connections (the number of dropped connections (after receiving SYN), the number of active connection failure (before receiving the peer SYN)) Number of dropped packets after MD5 authentication Number of passed packets after MD5 authentication
Format
display tcp status
2-130 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the TCP connection status.
<Eudemon> TCPCB 06b45804 06b455c4 07453364 07454e64 07453b44 074548c4 display tcp status Local Add:port 0.0.0.0:22 0.0.0.0:23 0.0.0.0:179 0.0.0.0:179 0.0.0.0:179 0.0.0.0:179 Foreign Add:port 0.0.0.0:0 0.0.0.0:0 1.1.1.1:0 5.1.1.1:0 10.1.1.2:0 11.1.1.2:0 State Listening Listening Listening Listening Listening Listening
2.9.16 display tcp status shows the description of the display tcp status command output. Table 2-26 Description of the display tcp status command output Item TCPCB Local Add:port Foreign Add:port State Description Sequence number of TCP task control block. The local IP address and the local port number of the TCP connection. The remote IP address and the remote port number. Statuses of TCP connections, which are as follows:
l l
ESTAB indicates that connections have been established. Listening indicates that listening is performed.
2 Internetworking
Format
display udp statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The command is used to display the traffic statistics of all the active UDP connections. Statistics is classified into two parts: receiving and sending, and each part can be further classified in terms of different types of packets, checksum error packets, for example. Moreover, there are statistics closely related to connection, such as the number of broadcast packets. The unit of statistics results is packet.
Examples
# Display UDP traffic statistics.
<Eudemon> display udp statistics Received packets: Total: 30 checksum error: 0 shorter than header: 0, data length larger than packet: 0 no socket on port: 0 broadcast: 30 not delivered, input socket full: 0 input packets missing pcb cache: 0 Sent packets: Total: 0
2.9.17 display udp statistics shows the description of the display udp statistics command output. Table 2-27 Description of the display udp statistics command output Item Received packet Total checksum error shorter than header, data length larger than packet no socket on port
2-132
Checksum error packets. Packets whose length is shorter than its header. Unicast packets.
Issue 03 (2009-06-18)
2 Internetworking
Item broadcast not delivered, input socket full input packets missing pcb cache Sent packet Total
Description Broadcast packets. Packets are not sent out because the socket buffer is full. Failing to find the count on PCB packets. Total number of the sent UDP packets.
Format
reset tcp statistics
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
There is no prompt information that the statistics information has been cleared.
Examples
# Clear TCP traffic statistics.
<Eudemon> reset tcp statistics
2 Internetworking
Format
reset udp statistics
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
There is no prompt information that the statistics information has been cleared.
Examples
# Clear UDP traffic statistics.
<Eudemon> reset udp statistics
Format
tcp timer fin-timeout time-value undo tcp timer fin-timeout
Parameters
time-value: specifies the value of TCP finwait timer in a range of 76 to 3600 seconds.
Views
System view
Default Level
2: Configuration level
2-134 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
By default, TCP finwait timer value is 675 seconds. When the TCP connection status changes from FIN_WATI_1 to FIN_WAIT_2, the finwait timer is enabled. If FIN packet is not received before the timeout of finwait timer, the TCP connection will be disabled. This parameter needs to be set under the guide of technicians.
Examples
# Set the TCP finwait timer value as 675 seconds.
<Eudemon> system-view [Eudemon] tcp timer syn-timeout 675
Format
tcp timer syn-timeout time-value undo tcp timer syn-timeout
Parameters
time-value: specifies the value of TCP synwait timer in a range of 2 to 600 seconds. By default, TCP synwait timer value is 75 seconds.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
When a syn packet is sent, TCP enables the synwait timer. If the response packet is not received before synwait timeout, the TCP connection will be disabled. This parameter needs to be set under the guide of technicians.
Examples
# Set the TCP synwait timer value as 75 seconds.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-135
2 Internetworking
<Eudemon> system-view [Eudemon] tcp timer syn-timeout 75
Format
tcp window window-size undo tcp window
Parameters
window-size: specifies the size of the transceiving buffer of the connection oriented Socket. It ranges from 1 to 32 KB.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the size of the connection-oriented transceiving buffer is 8192 bytes. This parameter needs to be set under the guide of technicians.
Examples
# Set the size of the transceiving buffer of the connection oriented Socket as 4 KB.
<Eudemon> system-view [Eudemon] tcp window 4
2 Internetworking
2.10.6 display ip routing-table protocol 2.10.7 display ip routing-table radix 2.10.8 display ip routing-table statistics 2.10.9 display ip routing-table verbose
Format
display ip routing-table
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Each line represents one route. The contents include destination address, mask length, protocol, preference, cost, next hop and output interface. Only the route in use, i.e., best route, is displayed with the display ip routing-table command.
Examples
# View the summary of routing table.
<Eudemon> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre 1.1.1.0/24 DIRECT 0 2.2.2.0/24 STATIC 0 3.3.3.1/32 DIRECT 0 127.0.0.0/8 DIRECT 0 127.0.0.1/32 DIRECT 0
Cost 0 0 0 0 0
Issue 03 (2009-06-18)
2-137
2 Internetworking
Table 2-28 Description of the display ip routing-table command output Item Routing Table: Description Types of routing tables:
l l
Public net: indicates the public network routing table Private net: indicates the private network routing table
The destination address and mask length of the network or host The protocol through which the route is learned Route preference Route cost Next hop Output interface through which the next hop is reachable
Format
display ip routing-table ip-address1 mask1 ip-address2 mask2 [ verbose ]
Parameters
ip-address1, ip-address2: specifies the destination IP address in dotted decimal notation. ip_address1 and ip_address2 determine one address range together to display the routing in this address range. mask: specifies the IP address mask in dotted decimal notation, or the IP address mask length in integer in a range of 0 to 32. verbose: displays both the active and inactive routes in detail. Without the parameter, this command only displays the summary of active routes.
Views
All views
Default Level
1: Monitoring level
2-138 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
None
Examples
# View the routing of destination addresses in a range of 1.1.1.0/24 to 2.2.2.0/24.
<Eudemon> display ip routing-table 1.1.1.0 24 2.2.2.0 24 Routing tables: Summary count: 3 Destination/Mask Protocol Pre Cost Nexthop Interface 1.1.1.0/24 DIRECT 0 0 1.1.1.1 GigabitEthernet0/0/0 1.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 2.2.2.0/24 DIRECT 0 0 2.2.2.1 Interface GigabitEthernet0/0/1
Format
display ip routing-table ip-address [ mask | mask-length ] [ longer-match ] [ verbose ]
Parameters
ip-address: specifies the destination IP address in dotted decimal notation. mask: specifies the IP address mask in dotted decimal notation. mask-length: specifies the IP address mask length. The value is an integer ranging from 0 to 32. longer-match: displays only the route that matches the specified network or masks. verbose: displays both the active and inactive routes in detail. Without the parameter, this command only displays the summary of active routes.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
With different parameters, the output of command is different. The following is the output description for different forms of this command:
l
Issue 03 (2009-06-18)
2 Internetworking
If destination address, ip-address, has corresponding route in natural mask range, this command will display all subnet routes or only the route best matching the destination address, ip-address, is displayed. And only the active matching route is displayed.
l
display ip routing-table ip-address mask The routing entry that precisely matches the destination address and the mask is displayed. display ip routing-table ip-address longer-match All routing entries whose destination address is in the range of natural mask are displayed. display ip routing-table ip-address mask longer-match All routing entries whose destination address is in the range of the input mask are displayed.
Examples
# Display brief information if the corresponding route exists in the range of the default subnet mask.
<Eudemon> display ip routing-table 169.0.0.0 Destination/Mask Protocol Pre Cost Nexthop Interface 169.0.0.0/16 Static 60 0 2.1.1.1 LoopBack1
# Display brief information if no corresponding route exists in the range of the default subnet mask. Only the longest matched route is displayed.
<Eudemon> display ip routing-table 169.253.0.0 Destination/Mask Protocol Pre Cost Nexthop 169.0.0.0/8 Static 60 0 2.1.1.1 Interface LoopBack1
# Display detailed information if the corresponding route exists in the range of the default subnet mask.
<Eudemon> display ip routing-table 169.0.0.0 verbose Routing tables: + = Active Route, - = Last Active, # = Both * = Next hop in use Summary count:2 **Destination: 169.0.0.0 Mask: 255.0.0.0 Protocol: #Static Preference: 60 *NextHop: 2.1.1.1 Interface: 2.1.1.1(LoopBack1) Vlinkindex: 0 State: <Int ActiveU Static Unicast> Age: 3:47 Cost: 0/0 Tag: 0 **Destination: 169.0.0.0 Mask: 255.254.0.0 Protocol: #Static Preference: 60 *NextHop: 2.1.1.1 Interface: 2.1.1.1(LoopBack1) Vlinkindex: 0 State: <Int ActiveU Static Unicast> Age: 3:47 Metric: 0/0
Format
display ip routing-table acl acl-number [ verbose ]
2-140 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
acl-number: specifies the number of basic ACL in a range of 2000 to 2999. verbose: displays both the active and inactive routes that passed filtering rules in detail. Without the parameter, this command only displays the summary of the active routes that passed filtering rules.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The command is used in track route policy to display the route that passed the filtering rule according the input basic ACL. The command is only applicable to view the route that passed basic ACL filtering rules.
Examples
# Display brief information about the route that is in the active state and is permitted by the basic ACL 2001.
<Eudemon> display ip routing-table acl 2001 Routes matched by access-list 2001: Summary count: 3 Destination/Mask Protocol Pre Cost Nexthop 169.0.0.0/8 Static 60 0 2.1.1.1 127.0.0.0/8 Direct 0 0 127.0.0.1 127.0.0.1/32 Direct 0 0 127.0.0.1
# Display brief information about the route that is in the active state and the inactive state and is permitted by the basic access control list ACL 2001.
<Eudemon> display ip routing-table acl 2001 verbose Routes matched by access-list 2001: + = Active Route, - = Last Active, # = Both * = Next hop in use Summary count:3 **Destination: 127.0.0.0 Mask: 255.0.0.0 Protocol: #DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) Vlinkindex: 0 State: <NoAdvise Int ActiveU Retain Multicast Unicast> Age: 3:47 Cost: 0/0 Tag: 0 **Destination: 127.0.0.1 Mask: 255. 255. 255. 255 Protocol: #DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) Vlinkindex: 0 State: <NotInstall NoAdvise Int ActiveU Retain Gateway Multicast Unicast> Age: 3:47 Cost: 0/0 Tag:0 **Destination: 179.0.0.0 Mask: 255.0.0.0 Protocol: #Static Preference: 60 *NextHop: 4.1.1.1 Interface: 127.0.0.1(LoopBack1) Vlinkindex: 0 State: <Int Hidden Static Unicast> Age: 3:47 Metric: 0/0
Issue 03 (2009-06-18)
2-141
2 Internetworking
Format
display ip routing-table ip-prefix ip-prefix-name [ verbose ]
Parameters
ip-prefix-name: specifies the name of an IP prefix list. It is a string of 1 to 19 characters. verbose: displays both the active and inactive routes that passed filtering rules in detail. Without the parameter, this command only displays the summary of the active routes that passed filtering rules.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the summary of the active route that is filtered ip prefix list abc2.
<Eudemon> display ip routing-table ip-prefix abc2 Routes matched by ip-prefix abc2: Summary count: 4 Destination/Mask Protocol Pre Cost Nexthop 127.0.0.0/8 Direct 0 0 127.0.0.1 127.0.0.1/32 Direct 0 0 127.0.0.1 169.0.0.0/8 Static 60 0 2.1.1.1 169.0.0.0/15 Static 60 0 2.1.1.1
# View the active and inactive routes that are filtered prefix list abc2 in detail.
<Eudemon> display ip routing-table ip-prefix abc2 verbose Routes matched by ip-prefix abc2: + = Active Route, - = Last Active, # = Both * = Next hop in use Summary count:2 **Destination: 127.0.0.0 Mask: 255.0.0.0 Protocol: #Direct Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) Vlinkindex: 0 State: <NoAdvise Int ActiveU Retain Multicast Unicast> Age: 3:47 Cost: 0/0 Tag: 0 **Destination: 127.0.0.1 Mask: 255. 255. 255. 255 Protocol: #Direct Preference: 0
2-142
Issue 03 (2009-06-18)
2 Internetworking
*NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) Vlinkindex: 0 State: <NotInstall NoAdvise Int ActiveU Retain Gateway Multicast Unicast> Age: 3:47 Cost: 0/0 Tag: 0
Format
display ip routing-table [ vpn-instance vpn-name ] protocol protocol [ inactive | verbose ]
Parameters
protocol: specifies a protocol. It can be one of the following values:
l l l l l l l l
direct: displays direct connection route. static: displays the static route. bgp: displays BGP route. ospf: displays OSPF route. ospf-ase: displays OSPF ASE route. ospf-nssa: displays OSPF NSSA route. mbgp-multicast: displays the MBGP multicast route. multicast-static [ destination-address { destination-mask | destination-mask-length } ] [ config ]: displays the static multicast route.
destination-address: indicates the destination IP address (multicast address) of the multicast. destination-mask: the mask of the multicast destination IP address. destination-mask-length: the mask length of the multicast destination IP address. The value is an integer ranging from 0 to 32. config: displays configuration of the static multicast route. If config is configured, all static multicast routes are displayed, including the activated and inactivated routes. Otherwise, all activated static multicast routes are displayed.
The protocol with bgp, mbgp-multicast, multicast-static, ospf, ospf-ase, ospf-nssa, rip is valid only when the device works in route mode.
inactive: displays the inactive route. Without the parameter, this command displays the active and inactive route. verbose: displays route in detail. Without the parameter, this command displays the route summary. vpn-instance vpn-name: specifies the name of the VPN instance. It is a string of 1 to 19 characters.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-143
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View all direct connection routes summary.
<Eudemon> display ip routing-table protocol direct DIRECT Routing tables: Summary count: 4 DIRECT Routing tables status:<active>: Summary count: 3 Destination/Mask Protocol Pre Cost Nexthop Interface 20.1.1.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0 DIRECT Routing tables status:<inactive>: Summary count: 1 Destination/Mask Protocol Pre Cost Nexthop Interface 210.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
Interface GigabitEthernet0/0/0
Format
display ip routing-table radix
Parameters
None
Views
All views
2-144 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Default Level
1: Monitoring level
Usage Guidelines
All views
Examples
# View the route in a tree structure.
<Eudemon> display ip routing-table radix Radix tree for INET (2) inodes 11 routes 7: +-32+--{192.168.1.55 +-23+ | +-24+--{192.168.0.0 | +-32+--{192.168.0.33 +--0+ | | +--8+--{127.0.0.0 | | | +-32+--{127.0.0.1 | +--1+ | | +-32+--{10.2.1.1 | +-14+ | +-32+--{10.1.1.1
Format
display ip routing-table statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The routing statistics includes:
l l
The total of the routes, which can either be added or deleted by the protocol. The total of labeled routes, which are not deleted and can be active or inactive.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-145
Issue 03 (2009-06-18)
2 Internetworking
Examples
# View the integrated statistics of the routes.
<Eudemon> display ip routing-table statistics Routing tables: Proto route active DIRECT 6 6 STATIC 5 3 BGP 0 0 RIP 0 0 OSPF 0 0 O_ASE 0 0 O_NSSA 0 0 AGGRE 0 0 MBGP 0 0 MStatic 0 0 Total 11 9
Table 2-29 Description of the display ip routing-table statistics command output Item Proto Description Protocol of the route:
l l l l l l l l l l
DIRECT: direct connection route STATIC: static route BGP: BGP route RIP: RIP route OSPF: OSPF route O_ASE: OSPF ASE O_NSSA: OSPF NSSA route AGGRE: aggregate route MBGP: MBGP route MStatic: static multicast route
Total number of all routes. Number of activated routes. Total number of routes.
Format
display ip routing-table [ vpn-instance vpn-name ] [ ip-address ] [ verbose ]
2-146 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
vpn-instance vpn-name: views the routing information of a VPN instance and specifies a VPN instance.It is a string of 1 to 19 characters. ip-address: indicates the destination IP address of VPN instance routing.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The descriptor describing the route state is displayed first, then the statistics of the entire routing table is output and finally the detailed description of each route is output. All current routes, including inactive route and invalid route, can be displayed using display ip routing-table verbose command.
Examples
# Display the detailed routing table.
<Eudemon> display ip routing-table verbose Routing Tables: + = Active Route, - = Last Active, # = Both * = Next hop in use Destinations: 3 Routes: 3 Holddown: 0 Delete: 0 Hidden: 0 **Destination: 127.0.0.0 Mask: 255.0.0.0 Protocol: #DIRECT Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) State: <NoAdvise Int ActiveU Retain Unicast> Age: 19:31:06 Cost: 0/0 **Destination: 127.0.0.1 Mask: 255.255.255.255 Protocol: #Direct Preference: 0 *NextHop: 127.0.0.1 Interface: 127.0.0.1(InLoopBack0) State: <NotInstall NoAdvise Int ActiveU Retain Gateway Unicast> Age: 14:03:05 Cost: 0/0 **Destination: 169.1.1.0 Mask: 255.255.255.0 Protocol: #DIRECT Preference: 0 *NextHop: 169.1.1.2 Interface: 169.1.1.2(GigabitEthernet0/0/0) State: <Int ActiveU Retain Unicast > Age: 44:24:53 Cost: 0/0
Table 2-30 Description of the display ip routing-table verbose command output Item Routing Tables: + = Active Route - = Last Active # = Both
Issue 03 (2009-06-18)
Description Overall information in the routing table. Currently active route. The last active route to the destination address. The currently active route is also the last active one.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-147
2 Internetworking
Description The next hop in use. Number of destination addresses in the routing table. Number of routes in the routing table. Number of currently hold down routes. Holddown refers to a route advertising policy used by some distance vector (D-V) routing protocols (such as RIP) in order to avoid flooding of error routes. The routing information is not updated immediately after changes occur, but always after a period of time. Number of routes that have been deleted currently. Number of currently hidden routes. Some routes are not available at present for some reason (e.g., the interface is Down) but do not want to be deleted. They can be hidden for future restoration. Destination IP address of the route. Each piece of specific routing information begins with the destination. Destination address mask. If the destination address and mask are allzero, it is a default route. Type of routes. Preference of routes. The less value indicates higher preference. The next hop IP address. IP address of the output interface, with interface name in the bracket. Route state:
l l l l l l l l l
Delete Hidden
Int: Interior Gateway Protocol (IGP) route. ActiveU: Active unicast route. Gateway: Indirect route. Static: Static route. Unicast: Unicast route. Retain: Not deleted when the routing protocol normally quits. NoAdvise: Not advertised. NotInstall: Not used for forwarding packets. LoopbackDown: The loopback interface is disabled.
Age Cost
Duration of the route existing in the routing table, with hour, minute and second from left to right. Cost of routes.
2-148
Issue 03 (2009-06-18)
2 Internetworking
Issue 03 (2009-06-18)
2-149
2 Internetworking
Format
apply access-vpn vpn-instance instance-name & <1-6> undo apply access-vpn vpn-instance instance-name & <1-6>
Parameters
vpn-instance instance-name: specifies the VPN routing and forwarding instance name. At most 6 virtual firewalls can be specified in one command line.
Views
Route-policy view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Defines the apply clause for setting the attributes of routing information. The route cost is set to 120.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] apply access-vpn vpn-instance vfw
Format
apply as-path as-number & <1-10> undo apply as-path
2-150 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
as-number: specifies the AS number to be replaced or added. The value ranges from1 to 65535. At most 10 AS numbers can be specified in one command line.
Views
Route-policy view
Default Level
2: Configuration level
Usage Guidelines
By default, no AS number is substituted or added.
Examples
# Change the original AS number in the original AS-Path to 200.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] apply as-path 200
Format
apply community none apply community [ aa:nn & <1-16> | no-advertise no-export no-export-subconfed ] * [ additive ] undo apply community
Parameters
aa:nn: Specifies the community number. The value of the aa:nn ranges from 1 to 65535. At most 16 community numbers can be configured. no-advertise: does not send the matched route to any peer. no-export: sends the matched route to sub-Ass but not outside the AS. no-export-subconfed: sends the matched route neither outside the AS nor to other sub-AS. additive: indicates the community attributes of additional routes.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-151
2 Internetworking
Views
Route-policy view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Configure a Route-Policy named setcommunity. Match the route with the As-path as 8, and change its community attribute to no-export.
<Eudemon> system-view [Eudemon] route-policy setcommunity permit node 16 [Eudemon-route-policy] if-match as-path-filter 8 [Eudemon-route-policy] apply community no-export
Format
apply local-preference preference undo apply local-preference
Parameters
preference: specifies the BGP local priority. The value ranges from 0 to 4,294,967,295.
Views
Route-policy view
Default Level
2: Configuration level
Usage Guidelines
None
2-152 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Set the local priority of the BGP routing information as 130.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] apply local-preference 130
Format
apply origin { egp as-number | igp | incomplete } undo apply origin
Parameters
egp: sets the BGP routing information source as external route. igp: sets the BGP routing information source as internal route. incomplete: sets the BGP routing information source as unknown source. as-number: specifies the AS number for the external routes.. The value ranges from 1 to 65535.
Views
Route-policy view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the route source of the routing information as IGP.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] apply origin igp
2 Internetworking
Function
Using the apply tag command, you can set the tag area of routing. Using the undo apply tag command, you can cancel this setting.
Format
apply tag tag undo apply tag
Parameters
tag: specifies the tag of routing information. The value ranges from 0 to 4,294,967,295.
Views
Route-policy view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the tag of routing information to 100.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] apply tag 100
Format
apply cost value undo apply cost
Parameters
value: specifies the route cost of routing information. The value ranges from 0 to 4,294,967,295.
2-154 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
Route-policy view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Define an apply clause to set the route cost of routing information as 120.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] apply cost 120
Format
apply cost-type [ internal | external ] undo apply cost-type
Parameters
internal: uses the cost of IGP as the MED value of BGP while the EBGP peer notifies the route. external: refers to the external cost of IS-IS.
Views
Route-Policy view
Default Level
2: Configuration level
Usage Guidelines
By default, the attribute of the route cost is not set.
Examples
# Set the cost of IGP as the MED value of BGP.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-155
2 Internetworking
Format
display ip as-path-acl [ as-path-acl-number ]
Parameters
as-path-acl-number: specifies matched AS path acl number. The value ranges from 1 to 199.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the configured AS-Path acl.
<Eudemon> display ip as-path-acl No. Mode Expression 1 permit fad permit fd permit 10 deny 20
Table 2-31 shows the description of the display ip as-path-acl command output. Table 2-31 Description of the display ip as-path-acl command output Item No. Mode Description AS-Path acl number. Matching mode:
l l
permit deny
Issue 03 (2009-06-18)
2-156
2 Internetworking
Item Expression
Format
display ip community-list [ basic-comm-list-num | adv-comm-list-num ]
Parameters
basic-comm-list-num: specifies the basic community list number. The value ranges from 1 to 99. adv-comm-list-num: specifies the advanced community list number. The value ranges from 100 to 199.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display all community lists.
<Eudemon> display ip community-list Community-list 1 deny internet Community-list 100 permit 10
Table 2-32 shows the description of the display ip community-list command output. Table 2-32 Description of the display ip community-filter command output Item Community filter
Issue 03 (2009-06-18)
2 Internetworking
Format
display ip ip-prefix [ ip-prefix-name ]
Parameters
ip-prefix-name: Specifies the name of the address prefix list to be displayed. The value is a string of 1 to 169 characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If the ip-prefix-name is not specified, all the address prefix lists set are displayed.
Examples
# Display the address prefix list named p1.
<Eudemon> display ip ip-prefix p1
Format
display ip policy
2-158 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
None
Views
All views
Default Level
2: Monitoring level
Usage Guidelines
None
Examples
# Display the routing policies of the local and configured interface policy routings.
<Eudemon> display ip policy Route-policy Interface pr02 Local pr02 Virtual-Template0 pr01 GigabitEthernet 0/0/0
The first line is prompt information. The first row shows where the routing policy indicated in the second row is enabled. Take the first line as an example, "local" refers to that the policy routing is enabled on the local device, i.e., all the policy routing "pr02" sent from the local device (not forward through it). The second and third lines represent that the interfaces virtual-template0 and GigabitEthernet 0/0/0 use pr02 and pr01 respectively.
Format
display ip policy setup { local | interface interface-type interface-number }
Parameters
local: displays the setting of local policy routings. interface: displays the setting of interface policy routings. interface-type: specifies the type of an interface. interface-number: specifies the number of an interface.
Views
All views
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-159
2 Internetworking
Default Level
1: Monitoring level
Usage Guidelines
The display format of the display ip policy setup local command is the same with the above command except that it displays the policy routing enabled on the local device but not the configuration of a certain specified route-policy. The display ip policy setup interface command displays the configuration of the policy routing enabled on the interface.
Examples
# Display the specific configurations of the local policy routing, enabled or disabled.
<Eudemon> display ip policy setup local route-policy pr01 permit node 0 if-match acl 2011 apply ip-address next-hop 3.3.3.3
As shown above, the local policy routing has one 0 node and includes an if-match clause and an apply clause. For the accurate meanings of the if-match clause and apply clause, you can refer to the configuration guide of the command. The command matches the option policy-tag.
Format
display ip policy statistics { local | interface interface-type interface-number }
Parameters
local: displays the statistics of local policy routing packets. interface: displays the statistics of interface policy routings. interface-type: specifies the type of an interface. interface-number: specifies the number of an interface.
Views
All views
Default Level
1: Monitoring level
2-160 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
None
Examples
# Display the matching statistics of the specified policy routing.
<Eudemon> display ip policy statistics local local policy pr02 summary information: Main board Total success packet number: 0 Total failure packet number: 0
The above information shows the transmitting success and failure times for all the transmitted policy (i.e., apply clause) of the local device policy routing.
Format
display route-policy [ route-policy-name ]
Parameters
route-policy-name: Specifies the name of the Route-Policy to be displayed. It is a string of 1 to 40 characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If the route-policy-name is not specified, all the Route-Policies configured are displayed.
Examples
# Display information of the Route-Policy named policy1.
<Eudemon> display route-policy policy1 Route-policy : policy1 Permit 10 : if-match ip address <access-no> 1 apply cost 100 apply tag 100
2 Internetworking
Function
Using the if-match acl command, you can set a match rule based ACL. Using the undo if-match acl command, you can delete the match rule.
Format
if-match acl acl-number undo if-match acl
Parameters
acl-number: specifies the number of ACL. ACL numbered 2000 to 2999 refers to the basic ACL, and ACL numbered 3000 to 3999 refers to the advanced ACL.
Views
Route-Policy view
Default Level
2: Configuration level
Usage Guidelines
By default, no match rule based ACL is set.
Examples
# Set packets that accord with the access control list 2010 to be matched.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] if-match acl 2010
Format
if-match as-path as-path-number undo if-match as-path
Parameters
as-path-number: specifies the number of the AS-Path list. The value ranges from 1 to 199.
2-162 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
Route-Policy view
Default Level
2: Configuration level
Usage Guidelines
By default, no match rule based AS-Path list is set.
Examples
# Set packets that accord with the AS-Path list 2 to be matched.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] if-match as-path 2
Format
if-match community { basic-comm-list-number [ whole-match ] | adv-comm-list-number } undo if-match community
Parameters
basic-comm-list-number: specifies the number of the basic community list. The value ranges from 1 to 99. adv-comm-list-number: specifies the number of the advanced community list. The value ranges from 100 to 199.
Views
Route-Policy view
Default Level
2: Configuration level
Usage Guidelines
By default, no match rule based community list is set.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-163
2 Internetworking
Examples
# Set packets that accord with the basic community list 1 to be matched.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] if-match community 1
Format
if-match cost value undo if-match cost
Parameters
value: specifies the required route cost in a range of 0 to 4294967295.
Views
Route-Policy view
Default Level
2: Configuration level
Usage Guidelines
By default, the matching rule based on the routing cost is not set.
Examples
# Match the routing information whose route cost is 8.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] if-match cost 8
2 Internetworking
Format
if-match interface interface-type interface-number undo if-match interface
Parameters
interface-type: specifies the type of an interface. interface-number: specifies the number of an interface.
Views
Route-Policy view
Default Level
2: Configuration level
Usage Guidelines
By default, the matching rule based on the outgoing interface is not set. For the same Route-policy node, the relationship among various if-match interface is "OR" in the process of matching. That is, as long as the routing information meets one of the matching conditions, you can use the apply clause.
Examples
# Define a rule to match the route whose outgoing interface is GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] if-match interface GigabitEthernet 0/0/0
Format
if-match ip next-hop { acl acl-number | ip-prefix ip-prefix-name } undo if-match ip next-hop [ ip-prefix ]
Parameters
acl-number: specifies the ACL for filtering. The value ranges from 2000 to 2999.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-165
2 Internetworking
ip-prefix-name: specifies the prefix list name of the address for filtering. The value ranges from 1 to 19 characters.
Views
Route-Policy view
Default Level
2: Configuration level
Usage Guidelines
By default, the matching rule based on the next hop of IP information is not set. As one of if-match clauses, if-match ip next-hop is used to specify the next hop address domain matched with routing information when routing information is filtered. Through importing an ACL or the address prefix list, carry out filtering.
Examples
# Define a rule to match the next hop address that complies with that routing information of the IP prefix list p1.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] if-match ip next-hop ip-prefix p1
Format
if-match ip-prefix ip-prefix-name undo if-match ip-prefix
Parameters
ip-prefix-name: specifies the name of the IP address prefix list. The name is a string of 1 to 19 characters.
Views
Route-Policy view
2-166 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, the matching rule based on the IP address prefix list is not set.
Examples
# Set an address prefix list p1 that is used to filter routing information.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] if-match ip next-hop ip-prefix p1
Format
if-match packet-length min-length max-length undo if-match packet-length
Parameters
min-length: specifies the minimum packet length of network layer. The value is an integer ranging from 0 to 2147483647. max-length: specifies the maximum packet length of network layer. The value is an integer ranging from 0 to 2147483647.
Views
Route-Policy view
Default Level
2: Configuration level
Usage Guidelines
By default, no matching rule based on packet length is set.
Examples
Set the packet in a range of 100 to 200 to be matched.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-167
2 Internetworking
Format
if-match tag tag undo if-match tag
Parameters
tag: specifies the routing tag. The value ranges from 0 to 4294967295.
Views
Route-Policy view
Default Level
2: Configuration level
Usage Guidelines
By default, the matching rule based on the routing tag field is not set.
Examples
# Match the routing information whose routing tag is 8.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy] if-match tag 8
2.11.25 ip as-path-acl
Function
Using the ip as-path-acl command, you can add an AS-Path acl entry. Using the undo ip as-path-acl comand, you can delete the specified AS-Path acl.
Format
ip as-path-acl as-path-acl-number { deny | permit } regular-expression
2-168 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
as-path-acl-number: specifies matched AS path acl number. The value ranges from 1 to 199. regular-expression: specifies the matched AS regular expression. deny: indicates that the matching mode of the AS path list is denial. permit: indicates that the matching mode of the AS path list is allowed.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Create the AS path list with the sequence number of 1.
<Eudemon> system-view [Eudemon] ip as-path-acl 1 permit ^10
2.11.26 ip community-list
Function
Using the ip community-list command, you can add a community filter (entry). Using the undo ip community-list command, you can delete the filter (entry).
Format
ip community-list basic-comm-list-num { deny | permit } [ community-number | aa:nn ] * &<1-16> [ internet | no-export-subconfed | no-advertise | no-export ] * undo ip community-list basic-comm-list-num ip community-list adv-comm-list-num { deny | permit } regular-expression undo ip community-list adv-comm-list-num
Parameters
basic-comm-list-num: specifies the basic community filter number. The value ranges from 1 to 99. adv-comm-list-num: specifies the advanced community filter number. The value ranges from 100 to 199.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-169
2 Internetworking
regular-expression: specifies the matched AS regular expression. deny: specifies the matching mode of the community filter as "deny". permit: specifies the matching mode of the community filter as "permit". aa:nn: specifies the community attribute number. aa and nn range from 0 to 65535. you can set 13 community numbers at most. internet: indicates that the matched routes can be sent to any peer. no-advertise: indicates devices do not advertise routes to peers. no-export: indicates that devices do not advertise routes outside the AS. If the AS confederation is used, devices do not advertise routes outside the AS confederation but to sub-ASs in the AS confederation. no-export-subconfed: indicates that devices do not advertise routes outside the AS. If the AS confederation is used, devices do not advertise routes to other sub-ASs in the AS confederation.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Configure the attribute list of the basic community whose sequence number is 1.
<Eudemon> system-view [Eudemon] ip community-list 1 permit internet
# Configure the attribute list of the advanced community whose sequence number is 100.
<Eudemon> system-view [Eudemon] ip community-list 100 permit ^10
2.11.27 ip ip-prefix
Function
Using the ip ip-prefix command, you can configure an address prefix list or an entry of the list. Using the undo ip ip-prefix command, you can delete an address prefix list or an entry of the list.
Format
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ip-address mask-length [ greater-equal greater-equal | less-equal less-equal ]*
2-170 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
ip-prefix-name: specifies the name of an address prefix list. It uniquely identifies an address prefix list. index-number: identifies an entry in an address prefix list. The entry with the small index-number is deleted first. permit: specifies the match mode of the defined address prefix list entry as permit mode. When an IP address to be filtered is within the specified prefix range of this entry in permit mode, this IP address passes the filtering and is not tested by the next node. If not, the next entry test is conducted. deny: specifies the match mode of the defined address prefix list entry as deny mode. When an IP address to be filtered is within the specified prefix range of this entry in deny mode, this address cannot pass the filtering and will not be tested by the next entry. Otherwise, this address is tested by the next entry. ip-address: specifies the IP address prefix range, namely, the IP address. When being specified as 0.0.0.0 0, it matches all IP addresses. mask-length: specifies the IP address prefix range, namely, the mask length.. When being specified as 0.0.0.0 0, it matches all IP addresses. greater-equal and less-equal: specifies the address prefix range [greater-equal, less-equal] that needs to be matched after the network len address prefix range is matched. greater-equal indicates to be greater or equal. less-equal indicates to be less or equal. The value is masklength <= greater-equal <= less-equal <= 32. When only the greater-equal is specified, the prefix ranges from greater-equal to 32. When only the less-equal is specified, the prefix ranges from len to less-equal.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Being used to filter IP addresses, an address prefix list contains several entries each of which specifies an address prefix range. The entries are in "or" filter relation, that is, passing the filtering of an entry results in passing the filtering of this address prefix list. If no filtering is passed, the filtering of this address prefix list cannot be passed. The address prefix range consists of two parts that are determined by mask-length and [greaterequal, less-equal] respectively. If the prefix ranges of the two parts are specified, the IP address to be filtered must match the prefix ranges of the two parts. If network mask-length is specified as 0.0.0.0 0, only the default route is matching. If all routes need to be matched, 0.0.0.0 0 less-equal 32 needs to be configured.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-171
2 Internetworking
Examples
# Define an address prefix list named p1 and permit only the route with the mask length of 17 or 18 on the network segment 10.0.192.0/ 8 to pass.
<Eudemon> system-view [Eudemon] ip ip-prefix p1 permit 10.0.192.0 8 greater-equal 17 less-equal 18
Format
ip policy route-policy policy-name undo ip policy route-policy policy-name
Parameters
policy-name: specifies the policy name.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, interface policy routing is disabled.
Examples
# Enable policy routing specified by route-policy map1 at the interface GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ip policy route-policy map1
2.11.29 ip route-static
Function
Using the ip route-static command, you can configure a static route. Using the undo ip route-static command, you can cancel the configured static route.
2-172 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Format
ip route-static [ vpn-instance vpn-name & <1-6> ] ip-address { mask | mask-length } { interface-type interface-number [ next-hop-address ] | [ vpn-instance vpn-name ] next-hopaddress { mask | mask-length } } [ public ] [ preference preference-value ] [ reject | blackhole ] undo ip route-static [ vpn-instance vpn-name & <1-6> ] ip-address { mask | mask-length } [ interface-type interface-number | [ vpn-instance vpn-name ] next-hop-address ] [ public ] [ preference preference-value ]
Parameters
ip-address: specifies the destination IP address in dotted decimal notation. mask: specifies the IP address mask in dotted decimal notation. mask-length: specifies the IP address mask length. The value is an integer ranging from 0 to 32. interfacce-type interface-number: specifies the type and number of the output interface of the static route. next-hop-address: specifies the next hop IP address of the route in dotted decimal notation. preference-value: specifies the preference level of the route. The value is an integer ranging from 1 to 255. reject: refers to an unreachable route. blackhole: refers to a blackhole route. vpn-instance vpn-name: configures routes in a specified VPN instance. The name of the VPN instance is a string of 1 to 19 characters. You can configure static routes for six VPN instances at the same time. public: refers to a public network VPN.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the system can obtain the sub-net route directly connected with the Eudemon. When configuring a static route, the default preference is 60 if it is not specified. If it is not specified as reject or blackhole, the route is reachable by default. Precautions when configuring static route:
l
when the destination IP address and the mask are both 0.0.0.0, it is the configured default route. If it is failed to detect the routing table, a packet will be forwarded along the default route. For different configurations of preference level, flexible routing management policy can be adopted. For example, to configure multiple routing to the same destination, load share
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-173
Issue 03 (2009-06-18)
2 Internetworking
can be implemented if the same preference level is specified; route backup can be implemented if different preference levels are specified.
l
To configure static route, either output interface or next hop address can be specified, which one is adopted in practice depends on actual condition. For the interfaces supporting the resolution from network address to link layer address or point-to-point interface, output interface or next hop address can be specified. But for Non Broadcast Multi-Access (NBMA) interfaces, such as dialing interface and interface encapsulated with framerelay, they support point-to-multi-point. Except IP route is configured, secondary route, that is, the map from IP address to link layer address should be established on link layer. In such condition, output interface cannot be specified and the next hop IP address should be configured when configuring static route.
In some conditions (for example, the link layer is encapsulated with PPP), opposite address cannot be learned and output interface can be specified when configuring Eudemon. After specifying output interface, the configuration of this Eudemon is unnecessary to be modified as opposite address changes.
Examples
# Configure the next hop of the default route as 129.102.0.2.
<Eudemon> system-view [Eudemon] ip route-static 0.0.0.0 0.0.0.0 129.102.0.2
2.11.30 route-policy
Function
Using the route-policy command, you can create a route policy and enter route policy view. Using the undo route-policy command, you can cancel the established route policy.
Format
route-policy policy-name { deny | permit } node node-index undo route-policy policy-name [ deny | permit | node node-index ]
Parameters
policy-name: specifies a route-policy name. The name is used to identify a route-policy uniquely. It is a string in a range of 1 to 19 characters. deny: specifies the match mode of the defined route-policy node as deny mode. When a route matches all the if-match clauses of this node, it is refused to pass the filtering and will not be tested by the next node. permit: specifies the match mode of the defined route policy node as permit mode. If a route matches all the if-match clauses, it is permitted to pass the filtering and execute the apply clauses of this node. If not, it will take the test of next node of this route policy. node-index: specifies a node index in the route-policy in the range of 0 to 65535. When this route policy is used for routing filtering, the node with smaller node-number is tested first.
2-174 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, no route policy is defined.
NOTE
You can set up to 1000 route policies and 20 nodes for each Route-Policy.
Examples
# Configure a route policy named as mpa1, whose node number is 10 and the match mode is permit, and enter route-policy view.
<Eudemon> system-view [Eudemon] route-policy map1 permit node 10 [Eudemon-route-policy]
2 Internetworking
2.12.18 rip metricout 2.12.19 rip output 2.12.20 rip split-horizon 2.12.21 rip version 2.12.22 rip work 2.12.23 summary 2.12.24 timers
2.12.1 checkzero
Function
Using the checkzero command, you can check the zero field of RIP-1 packet. Using the undo checkzero command, you can cancel the check of the zero fields.
Format
checkzero undo checkzero
Parameters
None
Views
RIP view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, RIP-1 performs the zero field check. According to RFC1058, some fields in RIP-1 packets must be zero, called zero fields. With the checkzero command, the zero check operation for RIP-1 packet can be enabled or disabled. During the zero check operation, if the RIP-1 packet in which the zero fields are not zeros is received, it rejected. Because the RIP-2 packet does not have a zero, this command is invalid for RIP-2. To save CPU resources, the zero field check is not performed when all neighbors are reliable.
Examples
# Disable zero check for RIP-1 packet.
2-176 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Format
debugging rip { packet | receive | send }
Parameters
packet: enables the RIP packets debugging. receive: enables the RIP receiving packets debugging. send: enables the RIP sending packets debugging.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the RIP packet debugging is disabled. You can learn the current receiving and sending RIP packets on each interface by using this command.
Examples
# Enable the RIP packets debugging.
<Eudemon> debugging rip packet
2 Internetworking
Format
default cost value undo default cost
Parameters
value: sets the default routing cost. The value is an integer ranging from 1 to 16.
Views
RIP view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, the default routing cost is 1. If no specific routing cost is specified when importing other protocol routes with the importroute command, the importing is performed with the default routing cost specified by the default cost command.
Examples
# Set the default routing cost of importing other route protocol routes as 3.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] default cost 3
Format
display rip [ vpn-instance vpn-instance-name ]
Parameters
vpn-instance: specifies a VPN instance. The RIP configuration of the specified VPN instance can be viewed. vpn-instance-name: specifies the name of the VPN instance. The value is a character string of 1 to 19 characters.
2-178 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the current running state and configuration information of the RIP protocol.
<Eudemon> display rip RIP is turned on public net VPN-Instance Checkzero is on Default cost : 1 Summary is on Preference : 100 Period update timer : 30 Timeout timer : 180 Garbage-collection timer : 120 No peer router Network : 10.0.0.0
Table 2-33 shows the description of the display ript command output. Table 2-33 Description of the display rip command output Item Checkzero Default cost Summary Preference Period update timer Timeout timer Garbage-collection timer No peer router Network Description MBZ check Default cost of RIP routes Whether route aggregation is enabled Preference of the RIP process RIP update interval Aging interval of RIP routes Period for collecting garbage routes No assigned unicast address Network address
2 Internetworking
Function
Using the filter-policy export command, you can filter the advertised routing by RIP. Using the undo filter-policy export command, you cannot filter the advertised routing.
Format
filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ] undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]
Parameters
acl-number: specifies an ACL number used for filtering the destination addresses of the routing information. IThe value is an integer ranging from 2000 to 3999. ip-prefix-name: specifies the name of an address prefix list used for filtering the destination addresses of the routing. The name is a string of 1 to 19 characters. routing-protocol: specifies a routing protocol whose routing is to be filtered, including direct, bgp , ospf, ospf-ase, ospf-nssa and static at present.
Views
RIP view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, RIP does not filter the advertised routing.
Examples
# Filter the advertised route based on ACL 2003.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] filter-policy 2003 export
2 Internetworking
Using the undo filter-policy acl-number import command, you cannot filter the received global routing. Using the filter-policy ip-prefix ip-prefix-name import command, you can filter the received global routing information based on the address prefix list. Using the undo filter-policy ip-prefix ip-prefix-name import command, you cannot filter the received global routing information based on the address prefix list.
Format
filter-policy { acl-number | gateway ip-prefix-name | ip-prefix ip-prefix-name } import undo filter-policy { acl-number | gateway ip-prefix-name | ip-prefix ip-prefix-name } import
Parameters
acl-number: specifies ACL number used for filtering the destination addresses of the routing. The value is an integer ranging from 2000 to 3999. gateway ip-prefix-name: Name of address prefix list used to filter the addresses of the neighboring devices advertising the routing information. It is a string of 1 to 19 characters. ip-prefix ip-prefix-name: specifies name of address prefix list used for filtering the destination addresses of the routing. It is a string of 1 to 19 characters.
Views
RIP view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, RIP does not filter the received routing. The range of the routes received by RIP can be controlled by specifying the ACL and the address prefix list.
Examples
# Filter the global routing based on ACL 2003.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] filter-policy 2003 import
2.12.7 host-route
Function
Using the host-route command, you can control the RIP to accept the host route. Using the undo host-route command, you can reject the host route.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-181
2 Internetworking
Format
host-route undo host-route
Parameters
None
Views
RIP view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, RIP accepts the host route. In some special cases, RIP receives a great number of host routes on the same network segment. These routes cannot help the path search much but occupy a lot of resources. In this case, the undo host-route command can be used to reject host routes.
Examples
# Configure RIP to reject a host route.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] undo host-route
Format
import-route protocol [ cost value ] [ route-policy route-policy-name ] undo import-route protocol
Parameters
protocol: specifies the source routing protocol to be imported by RIP. At present, RIP can import the following routes: bgp, direct, ospf, ospf-ase, ospf-nssa and static.
2-182 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
value: specifies the cost value of the route to be imported. The value is an integer ranging from 1 to 16. route-policy route-policy-name: specifies the name of the configured route policy when the external route is imported. The name is a string of 1 to 19 characters.
Views
RIP view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, RIP does not import any other routes. The import-route command is used to import the route of another protocol by using a certain value. RIP regards the imported route as its own route and transmits it with the specified value . This command can greatly enhance the RIP capability of obtaining routes, thus increasing the RIP performance. If the cost value is not specified, routes are imported according to the default cost. It is in the range of 1 to 16. If it is greater than or equal to 16, it refers to an unreachable route and the transmission is stopped in 120 seconds.
Examples
# Import a static route with cost being 4.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] import-route static cost 4
# Set the default cost and import an OSPF route with the default cost.
[Eudemon-rip] default cost 3 [Eudemon-rip] import-route ospf
2.12.9 ipv4-family
Function
Using the ipv4-family command, you can enter IPv4 extended address family view of RIP. Using the undo ipv4-family command, you can remove all configurations in extended address family view and return to RIP view.
Format
ipv4-family [ unicast ] vpn-instance vpn-instance-name undo ipv4-family [ unicast ] vpn-instance vpn-instance-name
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-183
2 Internetworking
Parameters
vpn-instance vpn-instance-name: Indicates to associate the specified VPN instance with the IPv4 address family. unicast: indicates unicast sub-address family.
Views
RIP view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Associate the specified VPN instance with the IPv4 address family and enter RIP-VPNv4 extended address family view of RIP.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] ipv4-family vpn-instance vpn [Eudemon-rip-af-vpn-instance]
Format
network network-address undo network network-address
Parameters
network-address: specifies the number of the network that is enabled or disabled. Its value is the IP network address of each interface.
Views
RIP view, VPNv4 sub-address family view
2-184 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, the RIP of all network segments or interfaces is disabled. After enabling a RIP routing process, it is disabled on any interface by default. RIP at a certain interface must be enabled with the network command. The undo network command is similar to the interface undo rip work command in terms of function.
l
Their similarity is that the interface using either command will not receive/transmit RIP routes. The difference between them is that, in the case of undo rip work, other interfaces will still forward the routes of the interface using the undo rip work command. In the case of undo network, it is like to perform undo rip work command on the interface, and the routes of corresponding interfaces cannot be transmitted by RIP. Therefore, the packets transmitted to this interface cannot be forwarded.
When the network command is used on an address, the effect is that RIP is applied on the interface on the network segment at this address. For example, the results of viewing the network 129.102.1.1 with both the display current-configuration command and the display rip command are shown as the network 129.102.0.0.
Examples
# Enable the RIP on the interface with the network address as 129.102.0.0.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] network 129.102.0.0
Format
peer ip-address undo peer ip-address
Parameters
ip-address: specifies the IP address of a neighbor device and is represented in the format of dotted decimal.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-185
2 Internetworking
Views
RIP view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
In general, do not use the peer command because the port may receive two identical packets in multicast (or broadcast) and unicast mode at the same time. So change the interface to the silent mode when the command is configured.
Examples
# Specify the sending destination address 202.38.165.1.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] peer 202.38.165.1
Format
preference value undo preference
Parameters
value: specifies a preference level. The value is an integer ranging from 1 to 255.
Views
RIP view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, the route preference of RIP is 100. Every routing protocol has its own preference. Its default value is determined by the specific routing policy. The preference will finally determine the routing algorithm to obtain the optimal route in the IP routing table.
2-186 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Specify the RIP preference as 20.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] preference 20
2.12.13 reset
Function
Using the reset command, you can reset the system parameters of RIP.
Format
reset
Parameters
None
Views
RIP view
Default Level
2: Configuration level
Usage Guidelines
When you need to set parameters of RIP once again, this command can be used to restore the default setting.
Examples
# Reset the RIP system.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] reset
2.12.14 rip
Function
Using the rip command, you can enable the RIP and enter RIP view. Using the undo rip command, you can cancel RIP.
Format
rip
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-187
2 Internetworking
undo rip
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the system does not run RIP. For the sake of entering the RIP view to set various RIP global parameters, RIP should be enabled first. Whereas setting parameters related to the interfaces is not restricted by enabling or disabling RIP.
NOTE
Examples
# Enable the RIP and enter the RIP view.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip]
Format
rip authentication-mode { simple password1 | md5 { nonstandard password2 md5-key-id | usual password3 } } undo rip authentication-mode
Parameters
simple: refers to simple text authentication mode. password1: specifies the authentication key in simple text with 1 to 16 characters.
2-188 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
md5: refers to MD5 cipher text authentication mode. nonstandard: specifies the MD5 cipher text authentication packet to use a nonstandard packet format described in RFC 2082. The MD5 cipher text authentication key is configured; however, the packet type of MD5 cipher text authentication is not specified. Thus, the nonstandard packet format is used and md5-key-id is 1. password2: specifies an authentication key; when it is in simple text, the length is in the range of 8 character to 16 characters; when it is in cipher text, the length is 24 characters. md5-key-id: specifies the key for MD5 authentication. The value is an integer ranging from 1 to 255. usual: specifies the MD5 cipher text authentication packet to use the general packet format (RFC 1723 standard format). password3:specifies an authentication key; when it is in simple text, the length is in the range of 8 character to 16 characters; when it is in cipher text, the length is 24 characters.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
RIP-1 does not support authentication. There are two RIP authentication modes:
l l
Simple text authentication MD5 cipher text authentication One is described in RFC 1723, which was brought forward earlier. The other is described in RFC 2082.
When MD5 cipher text authentication mode is used, there are two types of packet formats:
l l
The Eudemon supports both of the packet formats and you can select either of them on demand.
Examples
# Use the simple text authentication with the password as Admin@123 on GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] rip version 2 [Eudemon-GigabitEthernet0/0/0] rip authentication-mode simple Admin@123
# Set MD5 cipher text authentication at GigabitEthernet 0/0/0 with the password as Admin@123 and the packet type as usual.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] rip version 2 [Eudemon-GigabitEthernet0/0/0] rip authentication-mode md5 usual Admin@123
2 Internetworking
Function
Using the rip input command, you can allow an interface to receive RIP packets. Using the undo rip input command, you can cancel an interface to receive RIP packets.
Format
rip input undo rip input
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
This command is used together with the other two commands: rip output and rip work. Functionally, rip work is equal to rip input & rip output. The latter two control the receipt and the transmission of RIP packets on an interface. The former command equals the functional combination of the latter two commands.
Examples
# Specify the interface GigabitEthernet 0/0/0 not to receive RIP packets.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] undo rip input
Format
rip metricin value undo rip metricin
2-190 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
value: specifies an additional route metric added when transmitting a packet. The value is an integer ranging from 1 to 16.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the additional route metric added when transmitting a packet is 0. This command is valid for the routes distributed by the local network and other routes imported by other devices. This command is invalid for the routes imported by the local device.
Examples
# Set the additional route metric to 2 when the interface GigabitEthernet 0/0/0 transmits RIP packets.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] rip metricin 2
Format
rip metricout value undo rip metricout
Parameters
value: specifies an additional route metric added when transmitting a packet. The value is an integer ranging from 1 to 16.
Views
Interface view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-191
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, the additional route metric added when transmitting a packet is 1. This command is valid for the routes distributed by the local network and other routes imported by other devices. This command is invalid for the routes imported by the local device.
Examples
# Set the additional route metric to 2 when the interface GigabitEthernet 0/0/0 transmits RIP packets.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] rip metricout 2
Format
rip output undo rip output
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, RIP packets at all interfaces (except loopback interface) can be transmitted. This command is used together with the other two commands: rip input and rip work. Functionally, rip work is equal to rip input & rip output. The latter two control the receipt and the transmission of RIP packets on an interface. The former command equals the functional combination of the latter two commands.
2-192 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Disable the interface GigabitEthernet 0/0/0 to transmit RIP packets.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] undo rip output
Format
rip split-horizon undo rip split-horizon
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, an interface is enabled to use split horizon when transmitting RIP packets. Normally, split horizon is necessary for reducing route loop. Only in some special cases, split horizon should be disabled to ensure the correct execution of protocols.
Examples
# Specify the interface GigabitEthernet 0/0/0 not to use split horizon when processing RIP packets.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] undo rip split-horizon
2 Internetworking
Function
Using the rip version command, you can specify a RIP version on an interface. Using the undo rip version command, you can restore the default configuration.
Format
rip version { 1 | 2 [ broadcast | multicast ] } undo rip version
Parameters
1: specifies RIP version1 packets on the interface. 2: Specifies RIP version2 packets on the interface.. broadcast: indicates to send RIP-2 packets in broadcast mode. multicast: Indicates to send RIP-2 packets in multicast mode.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the interface RIP version is RIP-1. RIP-1 transmits packets in broadcast mode, while RIP-2 transmits packets in multicast mode. When running RIP-1, the interface only receives and transmits RIP-1, and receives RIP-2 broadcast packets, but does not receive RIP-2 multicast packets. When running RIP-2 in broadcast mode, the interface receives and transmits RIP-1, RIP-2 broadcast packets and RIP-2 multicast packets. When running RIP-2 in multicast mode, the interface only receives and transmits RIP-2 multicast packets, but does not receive RIP-2 broadcast packets and RIP-1 packets.
Examples
# Set the interface GigabitEthernet 0/0/0 as RIP-2 broadcast mode.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] rip version 2 broadcast
2 Internetworking
Using the undo rip work command, you can disable the running of RIP on an interface.
Format
rip work undo rip work
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, RIP runs on an interface. This command is used together with rip input, rip output and network commands.
Examples
# Disable the interface GigabitEthernet 0/0/0 to run the RIP.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] undo rip work
2.12.23 summary
Function
Using the summary command, you can enable RIP-2 automatic route summarization. Using the undo summary command, you can disable RIP-2 automatic route summarization.
Format
summary undo summary
Parameters
None
Views
RIP view, VPNv4 sub-address family view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-195
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, RIP-2 route summarization is enabled. Route aggregation can be performed to reduce the routing traffic on the network as well as to reduce the size of the routing table. If RIP-2 is used, route summarization function can be disabled with the undo summary command, when it is necessary to broadcast the subnet route. RIP-1 does not support subnet mask. Forwarding subnet route may cause ambiguity. Therefore, RIP-1 uses route summarization all the time. The undo summary command is invalid for RIP-1.
Examples
# Set RIP version on the interface GigabitEthernet 0/0/0 as RIP-2 and disable the route summarization.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] rip version 2 [Eudemon-GigabitEthernet0/0/0] quit [Eudemon] rip [Eudemon-rip] undo summary
2.12.24 timers
Function
Using the timers command, you can set timeout time interval and regular update time interval for the RIP route. Using the undo timers command, you can restore the default value.
Format
timers { timeout timeout-timer-length | update update-timer-length } * undo timers { timeout | update } *
Parameters
timeout-timer-length: refers to the timeout time interval of the RIP route. The value is an integer ranging from 1s to 3600s. update-timer-length: refers to the regular update time interval of the RIP route. The value is an integer ranging from 1s to 3600s.
Views
RIP view, VPNv4 sub-address family view
2-196 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, the timeout time interval of the RIP route is 180 seconds, and the regular update time interval is 30 seconds.
Examples
# Set timeout time interval of the RIP route and regular update time interval of the RIP route as 120s and 60s respectively.
<Eudemon> system-view [Eudemon] rip [Eudemon-rip] timers timeout 120 update 60
2 Internetworking
2.13.22 display ospf lsdb 2.13.23 display ospf nexthop 2.13.24 display ospf peer 2.13.25 display ospf peer address 2.13.26 display ospf peer interface 2.13.27 display ospf peer route-id 2.13.28 display ospf request-queue 2.13.29 display ospf retrans-queue 2.13.30 display ospf routing 2.13.31 display ospf vlink 2.13.32 filter-policy export (OSPF View) 2.13.33 filter-policy import (OSPF View) 2.13.34 import-route (OSPF View) 2.13.35 network (OSPF Aarea View) 2.13.36 nssa 2.13.37 opaque-capbility 2.13.38 ospf 2.13.39 ospf authentication-mode 2.13.40 ospf cost 2.13.41 ospf dr-priority 2.13.42 ospf mib-binding 2.13.43 ospf mtu-enable 2.13.44 ospf network-type 2.13.45 ospf timer dead 2.13.46 ospf timer hello 2.13.47 ospf timer poll 2.13.48 ospf timer retransmit 2.13.49 ospf trans-delay 2.13.50 peer (OSPF View) 2.13.51 preference (OSPF View) 2.13.52 reset ospf 2.13.53 router id 2.13.54 silent-interface
2-198 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
2.13.55 snmp-agent trap enable ospf 2.13.56 spf-schedule-interval 2.13.57 stub 2.13.58 vlink-peer 2.13.59 vpn-instance-capability simple
2.13.1 abr-summary
Function
Using the abr-summary command, you can configure the route aggregation on the area border Eudemon. Using the undo abr-summary command, you can cancel the function of route aggregation on the area border Eudemon.
Format
abr-summary ip-address mask [ advertise | not-advertise ] undo abr-summary { all | ip-address mask }
Parameters
ip-address: specifies a network segment address, in dotted-decimal format. mask: specifies the network mask, in dotted-decimal format. advertise: only advertises aggregation routes. not-advertise: suppresses advertising routes in the relevant range. all: cancels all routes aggregation on area border Eudemon.
Views
OSPF area view
Default Level
2: Configuration level
Usage Guidelines
By default, the area border Eudemon doesn't aggregate routes. This command is applicable only to the ABR and is used for the route aggregation in an area. The ABR only transmits an aggregated route to other areas. Route aggregation refers to that the routing information is processed in the ABR and for each network segment configured with route aggregation, there is only one route transmitted to other areas. An area can configure multiple aggregation network segments. Thus OSPF can aggregate various network segments together.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-199
2 Internetworking
Examples
# Aggregate the routes in the two network segments, 36.42.10.0 and 36.42.110.0, of OSPF area 1 into one route 36.42.0.0 and transmit it to other areas.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] area 1 [Eudemon-ospf-1-area-0.0.0.1] network 36.42.10.0 0.0.0.255 [Eudemon-ospf-1-area-0.0.0.1] network 36.42.110.0 0.0.0.255 [Eudemon-ospf-1-area-0.0.0.1] abr-summary 36.42.0.0 255.255.0.0
2.13.2 area
Function
Using the area command, you can enter OSPF area view. Using the undo area command, you can cancel the designated area.
Format
area area-id undo area area-id
Parameters
area-id: specifies the ID of the OSPF area, which can be a decimal integer (ranging from 0 to 4294967295) or in IP address format.
Views
OSPF view, OSPF area view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enter area 0 view.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] area 0 [Eudemon-ospf-1-area-0.0.0.0]
2.13.3 asbr-summary
2-200 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Function
Using the asbr-summary command, you can configure summarization of imported routes by OSPF. Using the undo asbr-summary command, you can cancel the summarization.
Format
asbr-summary ip-address mask [ not-advertise | tag tag-value ] undo asbr-summary { all | ip-address mask }
Parameters
ip-address: specifies a matched IP address in dotted decimal notation. mask: specifies an IP address mask in dotted decimal notation. not-advertise: does not advertise routes matching the specified IP address and mask. Aggregated route will be advertised without this parameter. tag-value: controls advertisement of routes depending on Route-policy. The value is an integer ranging from 0 to 4294967295. By default, it is 1.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, summarization of imported routes is disabled. After the summarization of imported routes is configured, if the local Eudemon is an Autonomous System Border Router (ASBR), this command summarizes the imported Type-5 LSAs in the summary address range. When NSSA is configured, this command will also summarize the imported Type-7 LSAs in the summary address range. If the local Eudemon acts as both an ABR and a switch router in the NSSA, this command summarizes Type-5 LSAs transformed from Type-7 LSAs. If the router is not the Eudemon in the NSSA, the summarization is disabled.
Examples
# Set Eudemon importing summarization of routes.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] asbr-summary 10.2.0.0 255.255.0.0 not-advertise
2 Internetworking
Function
Using the authentication-mode command, you can configure one area of OSPF to support the authentication attribute. Using the undo authentication-mode command, you can cancel the authentication attribute of this area.
Format
authentication-mode { simple | md5 } undo authentication-mode
Parameters
simple: uses simple text authentication mode. md5: uses MD5 cipher text authentication mode.
Views
OSPF area view
Default Level
2: Configuration level
Usage Guidelines
By default, an area does not support authentication attribute. All the devices in one area must use the same authentication mode (no authentication, supporting simple text authentication or MD5 cipher text authentication). If the mode of supporting authentication is configured, all devices on the same segment must use the same authentication key. To configure a simple text authentication in this area, use the ospf authentication-mode simple command. And, use the ospf authentication-mode md5 command to configure the cipher text authentication in this area.
Examples
# Enter area 0 view.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] area 0
2 Internetworking
Using the undo debugging ospf command, you can disable the function. Using the debugging ospf packet command, you can enable the OSPF debugging of receiving and sending packets. Using the undo debugging ospf packet command, you can disable the OSPF debugging of receiving and sending packets. Using the debugging ospf spf command, you can enable the debugging in the process of SPF calculation. The debugging information covers the IGP Shortcut and the forwarding adjacency. Using the undo debugging ospf spf command, you can disable the debugging in the process of SPF calculation.
Format
debugging ospf [ process-id ] { all | event | lsa-originate | te } undo debugging ospf [ process-id ] { all | event | lsa-originate } debugging ospf [ process-id ] packet [ ack | dd | hello | request | update ] undo debugging ospf [ process-id ] packet [ ack | dd | hello | request | update ] debugging ospf [ process-id ] spf { all | brief | intra } undo debugging ospf [ process-id ] spf { all | brief | intra } debugging ospf [ process-id ] spf { asbr-summary | ase | net-summary | nssa } [ acl aclnumber | ip-prefix ip-prefix-name ] undo debugging ospf [ process-id ] spf { all | asbr-summary | ase | intra | net-summary | nssa }
Parameters
process-id: specifies an OSPF process number. The value is an integer ranging from 1 to 65535. If no process number is specified, all the process debugging is enabled or disabled. all: enables the debugging information about all OSPFs. event: enables OSPF event information debugging. lsa-originate: enables the debugging information about OSPF LSA packets. te: enables the debugging function of the OSPF traffic-engineering extensions. ack: enables the debugging of OSPF ACK packets. dd: enables the debugging of OSPF DD packets. hello: enables the debugging of OSPF Hello packets. request: enables the debugging of OSPF Request packets. update: enables the debugging of OSPF Update packets. all(debugging ospf spf): enables the debugging of all SPFs. brief: displays the SPF information in brief. intra: enables the SPF debugging of intra-area LSA.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-203
2 Internetworking
asbr-summary: enables the SPF debugging of ASBR-Summary LSA. ase: enables the SPF debugging of ASE LSA. net-summary: enables the SPF debugging of inter-area LSA. nssa: enables the SPF debugging of NSSA LSA. acl acl-number: specifies the basic ACL number in a range of 2000 to 2999. ip-prefix ip-prefix-name: specifies the prefix list name in a string of characters, ranging from 1 to 19.
Views
User view
Default Level
3: Monitoring level
Usage Guidelines
By default, OSPF debugging is disabled. If no process number is specified, the debugging information of all OSPF processes is displayed. In OSPF multiple processes, the debugging command can enable the debugging of both all processes at the same time and one process. If no process number is specified in the debugging command, the command is valid to all processes. And it keeps the state during the Eudemon running period no matter OSPF process exits or not. In this way, the execution of this command will enable/disable each enabled OSPF debugging. At the same time, the debugging specified by this command is enabled automatically when new OSPF is enabled. If there is a specified process number in the debugging command, only the specified process is debugged. The configuration command is invalid if OSPF is not enabled. And the debugging state will not be kept after exiting the process, either.
Examples
# Enable the debugging of all packets.
<Eudemon> debugging ospf all
2.13.6 default
2-204 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Function
Using the default command, you can configure the default parameters to import the external routes. The default parameters consist of cost, type (type 1 or type 2), tag, and the number of the external route that is imported by OSPF. Using the undo default command, you can restore the default value of each parameter.
Format
default { cost cost | limit limit | tag tag | type type } * undo default { cost | limit | tag | type } *
Parameters
cost cost: indicates the default cost of the external route that is imported by OSPF. The value is an integer ranging from 0 to 16777214. limit limit: indicates default value of the upper limit of the imported external routes. The value is an integer ranging from 200 to 2147483647. tag tag: indicates the tag of the external route. The value is an integer ranging from 0 to 4294967295. type type: indicates the type of the external route. That is, type 1 or type 2.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the default value of the cost, type, tag, and the upper limit of the number of routes.
<Eudemon> system-view [Eudemon] ospf 100 [Eudemon-ospf-100] default cost 10 limit 20000 tag 100 type 2
2 Internetworking
Format
default cost value undo default cost
Parameters
value: Default routing cost of external route imported by OSPF. The value is an integer ranging from 0 to 16777214. By default, its value is 1.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
Since OSPF can import external routing information and propagate it to the entire Autonomous System (AS), it is necessary to specify the default routing cost for the protocol to import external routes. If multiple OSPFs are enabled, the command is valid to this process only.
Examples
# Specify the default routing cost for OSPF to import external routes as 10.
<Eudemon> system-view [Eudemon] ospf 1 [Eudemon-ospf-1] default cost 10
Format
default interval seconds undo default interval
Parameters
seconds: specifies the default interval for importing external routes. The value is an integer ranging from 1 to 2147483647 seconds. By default, it is 1 second.
2-206 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
Because OSPF can import the external routing information and broadcast it to the entire AS, it is necessary to specify the default interval for the protocol to import external routes.
Examples
# Specify the default interval for OSPF to import external routes as 10 seconds.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] default interval 10
Format
default limit routes undo default limit
Parameters
routes: sets the number of imported external routes in a unit time. The value is an integer ranging from 200 to 2147483647. By default, the value is 1000.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
OSPF can import external route information and broadcast them to the whole AS, so it is necessary to regulate the default value of external route information imported in one process.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-207
2 Internetworking
Examples
# Specify the default value of OSPF importing external routes as 200.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] default limit 200
Format
default tag tag-value undo default tag
Parameters
tag-value: sets a default tag. The value is an integer ranging from 0 to 4294967295.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
When OSPF redistributes a route found by other routing protocols in the Eudemon and uses it as the external routing information of its own AS, some additional parameters are required, including the default cost and the default tag of the route.
Examples
# Set the default tag of OSPF imported external route of AS as 10.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] default tag 10
2 Internetworking
Function
Using the default type command, you can configure the default type when OSPF redistributes external routes. Using the undo default type command, you can restore the default type when OSPF redistributes external routes.
Format
default type type undo default type
Parameters
type: specifics the type of the external route. That is, type 1 or type 2.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, the external routes of type 2 are imported. OSPF specifies the two types of external routing information. The default type command can be used to specify the default type when external routes are imported.
Examples
# Specify the default type as type 1 when OSPF imports an external route.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] default type 1
2.13.12 default-cost
Function
Using the default-cost command, you can configure the cost of the default route transmitted by OSPF to the STUB or NSSA area. Using the undo default-cost command, you can restore the cost of the default route transmitted by OSPF to the STUB or NSSA area to the default value.
Format
default-cost value
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-209
2 Internetworking
undo default-cost
Parameters
value: specifies the cost value of the default route transmitted by OSPF to the STUB or NSSA area. The value is an integer ranging from 0 to 16777214.
Views
OSPF area view
Default Level
2: Configuration level
Usage Guidelines
By default, the cost of the default route transmitted by OSPF to the STUB or NSSA area is 1. This command is applicable for the border devices connected to STUB or NSSA area. The stub and default-cost commands are necessary in configuring STUB area. All the devices connected to STUB area must use stub command to configure the stub attribute to this area. Using the default-cost command, you can specify the cost of the default route transmitted by ABR to STUB or NSSA area. This command is only valid for this process if multiple OSPF processes are enabled.
Examples
# Set the area 1 as the STUB area and the cost of the default route transmitted to this STUB area to 60.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] area 1 [Eudemon-ospf-1-area-0.0.0.1] network 20.0.0.0 0.255.255.255 [Eudemon-ospf-1-area-0.0.0.1] stub [Eudemon-ospf-1-area-0.0.0.1] default-cost 60
2.13.13 default-route-advertise
Function
Using the default-route-advertise command, you can import default route to OSPF route area. Using the undo default-route-advertise command, you can cancel the import of default route.
Format
default-route-advertise [ always | cost cost-value | route-policy route-policy-name | type typevalue ] * undo default-route-advertise [ always | cost | route-policy | type ] *
2-210 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
always: The parameter will generate an ASE LSA which describes the default route and advertise it if the local device is not configured with the default route. If this parameter is not set, the local device cannot import the ASE LSA, which generates the default route only when it is configured with the default route. cost-value: specifies the cost value of this ASE LSA. The value is an integer ranging from 0 to 16777214. By default, the value is 1. route-policy-name: specifies a route policy. If the default route matches the route policy specified by route-policy-name, route policy will affect the value in ASE LAS. The length of route-policyname parameter ranges from 1 to 19 character string. type-value: specifies cost type of this ASE LSA. The value is an integer ranging from 1 to 2. By default, the value is 2.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, OSPF does not import default route. The import-route command cannot import the default route. To import the default route to the route area, this command must be used. When local device is not configured with default route, the keyword always should be used by ASE LSA to generate default route. This command is valid for this process only if multiple OSPF processes are enabled.
Examples
# Import the ASE LSA which generates the default route to the OSPF area.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] default-route-advertise
# The ASE LSA of default route is generated and advertised to OSPF route area even the local device has no default route.
[Eudemon-ospf-1] default-route-advertise always
2 Internetworking
Function
Using the display debugging ospf command, you can view the global OSPF debugging state and each process debugging state.
Format
display debugging ospf
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the global OSPF debugging state and each process debugging state.
<Eudemon> display debugging ospf OSPF global debugging state: OSPF SPF INTRA debugging switch is on OSPF SPF NETSUM debugging switch is on OSPF SPF ASBRSUM debugging switch is on OSPF SPF ASE debugging switch is on OSPF SPF NSSA debugging switch is on OSPF EVENT debugging switch is on OSPF LSA debugging switch is on OSPF all PACKET debugging switch is on OSPF TE debugging switch is on
Table 2-34 shows the description of the display debugging ospf command output. Table 2-34 Description of the display debugging ospf command output Item OSPF global debugging OSPF SPF INTRA debugging switch OSPF SPF NETSUM debugging switch Description Indicates the global OSPF debugging information switch. Indicates the OSPF debugging information switch about LSA in the area. Indicates the OSPF debugging information switch about LSA between areas.
Issue 03 (2009-06-18)
2-212
2 Internetworking
Item OSPF SPF ASBRSUM debugging switch OSPF SPF ASE debugging switch OSPF SPF NSSA debugging switch OSPF EVENT debugging switch OSPF LSA debugging switch OSPF all PACKET debugging switch OSPF TE debugging switch
Description Indicates the OSPF debugging information switch about ASBR-Summary LSA. Indicates the OSPF debugging information switch about ASE LSA. Indicates the OSPF debugging information switch about NSSA LSA. Indicates the OSPF event debugging information switch. Indicates the OSPF LSA debugging information switch. Indicates all OSPF packet debugging information switch. Indicates OSPF debugging information switch about traffic-engineering extensions.
Format
display ospf [ process-id ] abr-asbr
Parameters
process-id: specifies an OSPF process ID. The value is an integer ranging from 1 to 65535.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-213
2 Internetworking
Examples
# Display the OSPF ABR and ASBR.
<Eudemon> display ospf abr-asbr OSPF Process 1 with Router ID 10.1.1.2 Routing Table to ABR and ASBR I = Intra i = Inter A = ASBR B = ABR S = SumASBR Destination Area Cost Nexthop IB 10.10.1.2 0.0.0.0 1 10.110.1.1 Interface GigabitEthernet0/2
Table 2-35 shows the description of the display ospf abr-asbr command output. Table 2-35 Description of the display ospf abr-asbr command output Item Destination Area Cost Nexthop Interface Description Information about ABR or ASBR Area number Cost from the local device to ABR or ASBR Next hop device through which packets are transmitted to the ABR or ASBR The interface through which packets are transmitted to the ABR or ASBR
Format
display ospf [ process-id ] asbr-summary [ ip-address mask ]
Parameters
process-id: specifies an OSPF process ID. The value is an integer ranging from 1 to 65535. ip-address: specifies a matched IP address in dotted decimal notation. mask: specifies an IP address mask in dotted decimal notation.
Views
All views
2-214 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Default Level
1: Monitoring level
Usage Guidelines
If the ip-address and mask parameters are not configured, the summary of all imported routes will be viewed.
Examples
# Display the summary of all OSPF imported routes.
<Eudemon> display ospf asbr-summary OSPF Process 1 with Router ID 192.168.1.1 Summary Addresses Total summary address count: 2 Summary Address net : 168.10.0.0 mask : 255.254.0.0 tag : 1 status : Advertise The Count of Route is 0 Summary Address net : 1.1.0.0 mask : 255.255.0.0 tag : 1 status : DoNotAdvertise The Count of Route is 0
Table 2-36 shows the description of the display ospf asbr-summary command output. Table 2-36 Description of the display ospf asbr-summary command output Item Total Summary address count net mask tag status Description Number of the aggregated routes Network address of the aggregated routes Network mask of the aggregated routes Tag of the aggregated routes Advertisement status of the aggregated routes:
l l
Advertise: Advertise after the aggregation. DoNotAdvertise: Do not advertise after the aggregation.
2 Internetworking
Function
Using the display ospf brief command, you can view the summary of OSPF.
Format
display ospf [ process-id ] brief
Parameters
process-id: specifies a process number of OSPF. The value is an integer ranging from 1 to 65535.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If no process number is specified, this command displays all OSPF processes in configuration sequence. When locating faults of OSPF, you can get the summary of OSPF by using the command. You can then analyze the faults of OSPF according to the summary.
Examples
# Display the OSPF summary.
<Eudemon> display ospf brief OSPF Process 1 with Router ID 3.3.3.3 OSPF Protocol Information RouterID: 3.3.3.3 Border Router: Area Spf-schedule-interval: 5 Routing preference: Inter/Intra: 10 External: 150 Default ASE parameters: Metric: 1 Tag: 1 Type: 2 SPF computation count: 13 Area Count: 2 Nssa Area Count: 0 Area 0.0.0.0: Authtype: none Flags: <> SPF scheduled: <> Interface: 20.0.0.2 (GigabitEthernet 0/0/0) Cost: 1 State: BackupDR Type: Broadcast Priority: 1 Designated Router: 20.0.0.1 Backup Designated Router: 20.0.0.2 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1 Interface: 30.0.0.1 (GigabitEthernet 0/0/1) Cost: 1 State: DR Type: Broadcast Priority: 1 Designated Router: 30.0.0.1 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1 Area 0.0.0.1: Authtype: none Flags: <Transit>
2-216
Issue 03 (2009-06-18)
2 Internetworking
SPF scheduled: <> Interface: 40.0.0.1 (LoopBack0) --> 40.0.0.1 Cost: 1562 State: P To P Type: PointToPoint Priority: 1 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1
Format
display ospf [ process-id ] cumulative
Parameters
process-id: specifies a process number of OSPF. The value is an integer ranging from 1 to 65535.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the OSPF cumulative information.
<Eudemon> display ospf cumulative OSPF Process 1 with Router ID 1.1.1.1 Cumulations IO Statistics Type Input Output Hello 225 437 DB Description 78 86 Link-State Req 18 18
Issue 03 (2009-06-18)
2-217
2 Internetworking
Table 2-37 shows the description of the display ospf cumulative command output. Table 2-37 Description of the display ospf cumulative command output Item IO statistics Type Input Output Hello DB Description Link State Req Link State Update Link State Ack ASE Checksum LSA s originated by this router Router SumNet SumASB LSA originated LSA Received Area Routing Table Intra Area Description Detailed statistics of the transceived packets and LSA Type of OSPF packets Number of received packets Number of sent packets OSPF Hello packets OSPF Data Base Description packets OSPF Link State Request packets OSPF Link State Update packets OSPF Link State Acknowledgement packets Autonomous system external LSA checksum Detailed statistics of receiving and sending LSAs Router LSA Type-3 summary LSA Type-4 summary LSA Generated LSA Received LSA Area ID Routing Table Number of intra-area routes
2-218
Issue 03 (2009-06-18)
2 Internetworking
Format
display ospf [ process-id ] diagnostic-information
Parameters
process-id: specifies an OSPF process ID. The value is an integer ranging from 1 to 65535.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Whatever view the display ospf diagnostic-information command is executed, the system returns to user view after the execution. In addition, the information is display without split screen. You can use the shortcut key <Ctrl+C> to end the display. If you are unfamiliar with OSPF commands, you can use this command to obtain most of the information for OSPF trouble locating. The display ospf diagnostic-information command contains the commands listed in Table 2-38. Table 2-38 Commands included in the display ospf diagnostic-information command Command display clock display version display memory
Issue 03 (2009-06-18)
2 Internetworking
Command display task display current-configuration display ospf brief display ospf cumulative display ospf error display ospf asbr-summary display ospf sham-link display ospf vlink display ospf request-queue display ospf retrans-queue display ospf interface display ospf peer display ospf peer brief display ospf lsdb brief display ospf lsdb display ospf nexthop display ospf abr-asbr display ospf routing
Output Task information Current configuration information OSPF summary information OSPF statistic OSPF error information Aggregation information of imported routes OSPF sham-link information OSPF virtual-link information OSPF request list information OSPF retransmission list OSPF interface information OSPF neighbor information Summary information of OSPF neighbor Summary information of OSPF link state database Information of OSPF link state database OSPF next hop information Information of ABR and ASBR OSPF routing table information
Examples
# Display all information of OSPF process 100.
<Eudemon> display ospf 100 diagnostic-information
The display ospf diagnostic-information command contains the commands listed in Table 2-38. For details, see the commands in the table.
Format
display ospf [ process-id ] error
2-220 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
process-id: specifies an OSPF process ID. The value is an integer ranging from 1 to 65535.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the OSPF error information.
<Eudemon> display ospf error OSPF Process 1 with Router ID 1.1.1.1 OSPF 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: packet error statistics: IP: received my own packet OSPF: wrong version OSPF: wrong area id OSPF: wrong virtual link OSPF: wrong authentication key OSPF: packet size > ip length OSPF: interface down HELLO: netmask mismatch HELLO: dead timer mismatch HELLO: router id confusion HELLO: NBMA neighbor unknown DD: router id confusion DD: unknown LSA type LS ACK: wrong ack LS ACK: unknown LSA type LS REQ: empty request LS UPD: neighbor state low LS UPD: LSA checksum wrong LS UPD: unknown LSA type DD: MTU option mismatch OPQ-9 : out of flooding scope OPQ-11 : out of flooding scope TE LSA : absence of (sub)TLV 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: OSPF: wrong packet type OSPF: wrong checksum OSPF: area mismatch OSPF: wrong authentication type OSPF: too small packet OSPF: transmit error OSPF: unknown neighbor HELLO: hello timer mismatch HELLO: extern option mismatch HELLO: virtual neighbor unknown DD: neighbor state low DD: extern option mismatch LS ACK: neighbor state low LS ACK: duplicate ack LS REQ: neighbor state low LS REQ: wrong request LS UPD: newer self-generate LSA LS UPD: received less recent LSA OSPF routing: next hop not exist ROUTETYPE: wrong type value OPQ-10 : out of flooding scope TE LSA : unrecognized contents
Format
display ospf [ process-id ] interface [ interface-type interface-number ]
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-221
2 Internetworking
Parameters
process-id: specifies an OSPF process ID. The value is an integer ranging from 1 to 65535. interface-type: specifies the type of an interface. interface-number: specifies the number of an interface.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the OSPF interface GigabitEthernet 0/0/0.
<Eudemon> display ospf interface GigabitEthernet 0/0/0 Interface: 10.110.0.2 (GigabitEthernet 0/0/0) Cost: 1 State: BackupDR Type: Broadcast Priority: 1 Designated Router: 10.110.0.1 Backup Designated Router: 10.110.0.2 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1
Format
display ospf [ process-id [ area-id ] ] lsdb [ brief ] display ospf process-id area-id lsdb [ router | network | summary | asbr | ase | nssa | opaque { area-local | link-local } ] [ link-state-id ] [ originate-router [ advertising-routerid ] | self-originate ] display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa | opaque { as | area-local | link-local } ] [ link-state-id ] [ originate-router [ advertising-router-id ] | self-originate ]
Parameters
process-id: specifies an OSPF process ID. The value is an integer ranging from 1 to 65535. area-id: refers to ID of the OSPF area, represented by decimal integer in a range of 0 to 4294967295 or in IP address format.
2-222 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
brief: displays the database in brief. asbr: displays the database of Type-4 LSA (Summary-ASBR-LSA). network: displays the database of Type-2 LSA (Network-LSA). nssa: displays the database of Type-7 LSA (NSSA-external-LSA). opaque as: displays the database of Type-11 LSA. opaque area-local: displays the database of Type-10 LSA. opaque link-local: displays the database of Type-9 LSA. router: displays the database of Type-1 LSA (Router-LSA). summary: displays the database of Type-3 LSA (Summary-Net-LSA). ip-address: specifies a link state ID in IP address format. originate-router ip-address: specifies the IP address of the router advertising LSA packet. self-originate: displays the database of self-originated LSA generated by local device.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the database of OSPF connecting state.
<Eudemon> display ospf lsdb OSPF Process 1 with Router ID 123.1.1.1 Link State Database Type LinkState ID Rtr 1.1.1.1 Net 1.1.1.2 Type LinkState ID ASE 1.1.0.0 ASE 123.1.1.1 Area: 0.0.0.0 AdvRouter Age Len 1.1.1.1 563 36 123.1.1.1 595 32 AS External Database: AdvRouter Age Len 1.1.1.1 561 36 1.1.1.1 561 36 Sequence 80000008 80000001 Sequence 80000001 80000001 Metric Where 0 SpfTree 0 SpfTree Metric Where 1 Uninitialized 1 Uninitialized
Issue 03 (2009-06-18)
2-223
2 Internetworking
2 Internetworking
2 Internetworking
Format
display ospf [ process-id ] nexthop
Parameters
process-id: specifies an OSPF process ID. IThe value is an integer ranging from 1 to 65535.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the OSPF next-hop.
<Eudemon> display ospf nexthop Address Type Refcount Intf Addr Intf Name --------------------------------------------------------------202.38.160.1 Direct 3202.38.160.1 Interface GigabitEthernet 0/0/0 202.38.160.2 Neighbor 1202.38.160.1 Interface GigabitEthernet 0/0/0
2 Internetworking
Function
Using the display ospf peer command, you can view the neighbors in OSPF areas. Using the display ospf peer brief command, you can view in OSPF briefly, mainly the neighbor number at all states in every area.
Format
display ospf [ process-id ] peer [ brief ] display ospf [ process-id [ area-id ] ] peer
Parameters
process-id: specifies an OSPF process ID. area-id: specifies an area ID with a decimal integer (The value ranges from 0 to 4294967295) or in dotted decimal notation. If the area ID is specified, the command is used to display OSPF neighboring relationship in the specified area. If area-id is specified, you cannot configure brief. brief: displays neighbors in areas in brief.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The display format of OSPF neighbor valid time varies with the length of time. Description is as follows:
l l l
XXYXXMXXD: More than a year, namely year: month: day XXXdXXhXXm: More than a day but less than a year, that is, day: hour: minute XX: XX: XX: Less than a day, namely hour: minute: second
Examples
# Display OSPF peer.
<Eudemon> display ospf peer Area 0.0.0.0 interface 1.1.1.1(Pos2/0/0)'s neighbor(s) RouterID: 1.1.1.3 Address: 1.1.1.3 State: Full Mode: Nbr is Master Priority: 1 DR: 1.1.1.3 BDR: 1.1.1.1 Dead timer expires in 31s Neighbor is comes for 00:08:24
Issue 03 (2009-06-18)
2-227
2 Internetworking
Neighbor Attempt Init 0 0 0 0 0 0
Down 0 0 0
Exchange 0 0 0
Loading 0 0 0
Full 1 1 2
Total 1 1 2
Format
display ospf [ process-id ] peer address ip-address
Parameters
process-id: specifies an OSPF process ID. ip-address: specifies the IP address of a neighbor to display the neighbor relationship between the local device and the specified router.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the OSPF neighbor between the local device and the router with IP address 10.1.1.1.
<Eudemon> display ospf peer address 10.1.1.1 OSPF Process 100 with Router ID 3.3.3.3 Neighbors Area 1 interface 10.1.1.2(Serial1)'s neighbor(s) RouterID: 2.2.2.2 Address: 10.1.1.1 State: Full Mode: Nbr is Master Priority: 1 DR: None BDR: None Dead timer expires in 34s Neighbor comes up for 00:27:15
2 Internetworking
Function
Using the display ospf peer interface command, you can display OSPF neighbors on an interface.
Format
display ospf [ process-id ] peer interface interface-type interface-number
Parameters
process-id: specifies an OSPF process ID. interface-type: specifies the type of an interface. interface-number: specifies the number of an interface.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
This command cannot display OSPF neighbors of sham links.
Examples
# Display OSPF neighbors at interface GigabitEthernet 0/0/0.
<Eudemon> display ospf peer interface GigabitEthernet 0/0/0 OSPF Process 100 with Router ID 3.3.3.3 Neighbors Area 1 interface 10.1.1.2(Serial1)'s neighbor(s) RouterID: 2.2.2.2 Address: 10.1.1.1 State: Full Mode: Nbr is Master Priority: 1 DR: None BDR: None Dead timer expires in 34s Neighbor comes up for 00:27:15
Format
display ospf [ process-id ] peer router-id router-id
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-229
2 Internetworking
Parameters
process-id: specifies an OSPF process ID. router-id: specifies a device ID in dotted decimal notation to display neighbor relationship with the device.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the OSPF neighbor relationship with Router whose ID is 4.4.4.4.
<Eudemon> display ospf peer router-id 4.4.4.4 OSPF Process 100 with Router ID 3.3.3.3 Neighbors Area 2 interface 168.1.12.1(Serial0)'s neighbor(s) RouterID: 4.4.4.4 Address: 168.1.12.2 State: Full Mode: Nbr is Master Priority: 1 DR: None BDR: None Dead timer expires in 34s Neighbor comes up for 00:03:43
Format
display ospf [ process-id ] request-queue
Parameters
process-id: specifies an OSPF process ID.
Views
All views
Default Level
1: Monitoring level
2-230 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
None
Examples
# Display the OSPF request queue.
<Eudemon> display ospf request-queue The Router's Neighbors is RouterID: 103.160.1.1 Address: 103.169.2.5 Interface: 103.169.2.2 Area: 0.0.0.1 LSID:129.11.25.0 AdvRouter:103.160.1.1 Sequence:80000001 LSID:129.11.25.0 AdvRouter:103.160.1.1 Sequence:80000001 LSID:129.11.25.0 AdvRouter:103.160.1.1 Sequence:80000001
Format
display ospf [ process-id ] retrans-queue
Parameters
process-id: specifies an OSPF process ID.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the OSPF retransmission queue.
<Eudemon> display ospf retrans-queue OSPF Process 200 with Router ID 103.160.1.1 Retransmit List The Router's Neighbors is RouterID: 162.162.162.162 Address: 103.169.2.2 Interface: 103.169.2.5 Area: 0.0.0.1 Retrans list: Type: ASE LSID:129.11.77.0 AdvRouter:103.160.1.1 Type: ASE LSID:129.11.108.0 AdvRouter:103.160.1.1
Issue 03 (2009-06-18)
2-231
2 Internetworking
Format
display ospf [ process-id ] routing
Parameters
process-id: specifies an OSPF process ID in a range of 1 to 65535.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the routing table about OSPF.
<Eudemon> display ospf routing OSPF Process 1 with Router ID 61.100.100.1 Routing Tables Total Nets: 0 Intra Area: 0 Inter Area: 0 ASE: 0 NSSA: 0
Format
display ospf [ process-id ] vlink
Parameters
process-id: specifies an OSPF process ID.
Views
All views
2-232 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display OSPF virtual links.
<Eudemon> display ospf vlink Virtual-link Neighbor-id -> 1.1.1.1, State: Down Cost: 0 State: Down Type: Virtual Transit Area: 0.0.0.1 Timers: Hello 10, Dead 40, Poll 0, Retransmit 5, Transmit Delay 1
Format
filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ] undo filter-policy { acl-number | ip-prefix ip-prefix-name } export [ routing-protocol ]
Parameters
acl-number: specifies an ACL number in a range of 2000 to 3999. ACL numbered 2000 to 2999 refers to the basic ACL, and ACL numbered 3000 to 3999 refers to the advanced ACL. ip-prefix-name: specifies the number of an address prefix list. It is a string of characters in a range of 1 to 19. routing-protocol: specifies a protocol advertising the routing, including direct, bgp, rip and static at present.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, no filtering of the distributed routing is performed.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-233
2 Internetworking
In some cases, it may be required that only the routing meeting some conditions can be advertised. Then, the filter-policy command can be used to configure the filtering conditions for the routing information to be advertised. Only the routing passing the filtration can be advertised.
Examples
# Configure OSPF that only advertises the routing information permitted by ACL 2001.
<Eudemon> system-view [Eudemon] acl number 2001 [Eudemon-acl-basic-2001] rule permit source 11.0.0.0 0.255.255.255 [Eudemon-acl-basic-2001] rule deny source any [Eudemon-acl-basic-2001] ospf [Eudemon-ospf-1] filter-policy 2001 export
Format
filter-policy { acl-number | ip-prefix ip-prefix-name | gateway prefix-list-name } import undo filter-policy { acl-number | ip-prefix ip-prefix-name | gateway ip-prefix-name } import
Parameters
acl-number: specifies an ACL number used for filtering the destination addresses of the routing information. ip-prefix-name: specifies the name of an address prefix list used for filtering the destination addresses of the routing information. gateway ip-prefix-name: specifies the name of an address prefix list used for filtering the addresses of the neighboring devices advertising the routing.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, no filtering of the received routing is performed.
2-234 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
In some cases, it may be required that only the routing meeting some conditions can be received. Then, the filter-policy command can be used to set the filtering conditions for the routing to be advertised. Only the routing passing the filtration can be received. Using the filter-policy import command, you can filter the routes calculated by OSPF. Only the filtered routes can be added to the routing table. The filtering can be performed according to the next hop and destination of the route. Since OSPF is a dynamic routing protocol based on link state, its routing hides in the link state, this command cannot filter the advertised/received routing in link state. There is more limitation when using this command in OSPF than using it in distance vector routing protocol. This command is valid for this process only if multiple OSPF processes are enabled.
Examples
# Filter the received routing according to the rule defined by ACL 2002.
<Eudemon> system-view [Eudemon] acl number 2002 [Eudemon-acl-basic-2002] rule permit source 20.0.0.0 0.255.255.255 [Eudemon-acl-basic-2002] rule deny source any [Eudemon-acl-basic-2002] ospf [Eudemon-ospf-1] filter-policy 2002 import
Format
import-route protocol process-id [ cost value | type { 1 | 2 } | tag value | route-policy routepolicy-name ] * undo import-route protocol process-id
Parameters
protocol: specifies the source routing protocol that can be imported. At present, it includes direct, static, rip, ospf, ospf-ase, ospf-nssa and bgp. ospf process-id: imports the internal routes found by OSPF process-id as external routing information. If no process number is specified, the OSPF default process number 1 is used. ospf-ase process-id: imports the ASE external routes found by OSPF process-id as external routing information. If no process number is specified, the OSPF default process number 1 is used. ospf-nssa process-id: imports the NSSA external routes found by OSPF process-id as external routing information. If no process number is specified, the OSPF default process number 1 is used. route-policy route-policy-name: imports the routes matching the specified route policy.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-235
2 Internetworking
type: specifies the type of the metrics that import external routes. value: the label value that imports external routes. The value ranges from 0 to 4294967295.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, the routing of other protocols is not imported. Moreover, process-id is related to protocol. Some protocols do not need to be configured with process-id.
Examples
# Specify an imported RIP route as the route of type 2, with the route tag as 33 and the route cost as 50.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] import-route rip type 2 tag 33 cost 50
# Specify OSPF process 100 to import the route found by OSPF 160.
<Eudemon> system-view [Eudemon] ospf 100 [Eudemon-ospf-100] import-route ospf 160
Format
network ip-address wildcard-mask undo network ip-address wildcard-mask
Parameters
ip-address: specifies the address of the network segment where the interface locates. wildcard: specifies the IP address wildcard mask, which is the reversed form of the mask of IP address.
2-236 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
OSPF area view
Default Level
2: Configuration level
Usage Guidelines
By default, the interface does not belong to any area. To run the OSPF protocol on one interface, the master IP address of this interface must be in the range of the network segment specified by this command. If only the slave IP address of the interface is in the range of the network segment specified by this command, this interface will not run OSPF protocol.
Examples
# Specify the interfaces whose master IP addresses are in the segment range of 10.110.36.0 to run the OSPF protocol and specify the number of the OSPF area (where these interfaces are located) as 6.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] area 6 [Eudemon-ospf-1-area-0.0.0.6] network 10.110.36.0.0 0.0.0.255
# Enable OSPF process 100 on the Eudemon and specify the number of the area where the interface is located as 2.
<Eudemon> system-view [Eudemon] router id 10.110.1.9 [Eudemon] ospf 100 [Eudemon-ospf-100] area 2 [Eudemon-ospf-100-area-0.0.0.2] network 131.108.20.0 0.0.0.255
# Bind OSPF process 200 with the virtual firewall vpn1 on the Eudemon and specify the number of the area where the interface is located as 1.
<Eudemon> system-view [Eudemon] ospf 200 vpn-instance vpn1 [Eudemon-ospf-200] area 1 [Eudemon-ospf-200-area-0.0.0.1] network 131.108.20.0 0.0.0.255
# Bind OSPF process 300 with the virtual firewall vpn1 on the Eudemon and specify the number of the area where the interface is located as 2.
<Eudemon> system-view [Eudemon] ospf 300 vpn-instance vpn1 [Eudemon-ospf-300] area 2 [Eudemon-ospf-300-area-0.0.0.2] network 131.108.21.0 0.0.0.255
2.13.36 nssa
Function
Using the nssa command, you can configure an area as NSSA area. Using the undo nssa command, you can cancel the function.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-237
2 Internetworking
Format
nssa [ default-route-advertise | no-import-route | no-summary ] * undo nssa
Parameters
default-route-advertise: imports default route to NSSA area. no-import-route: does not import the routes specified by import-route to NSSA area. no-summary: disables ABR to transmit summary_net LSAs to the NSSA area.
Views
OSPF area view
Default Level
2: Configuration level
Usage Guidelines
By default, NSSA area is not configured. For all the devices connected to the NSSA area, the command nssa must be used to configure the area as the NSSA attribute. The default-route-advertise parameter is used to generate default type-7 LSA. No matter whether there is route 0.0.0.0 in the routing table on ABR, type-7 LSA default route is generated always. Only when there is route 0.0.0.0 in the routing table on ASBR, will type-7 LSA default route be generated. On ASBR, the no-import-route parameter enables the external route imported by OSPF through import-route command not to be advertised to NSSA area.
Examples
# Configure area 1 as NSSA area.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] area 1 [Eudemon-ospf-1-area-0.0.0.1] network 10.110.0.0 0.255.255.255 [Eudemon-ospf-1-area-0.0.0.1] nssa
2.13.37 opaque-capbility
Function
Using the opaque-capability enable command, you can enable the Opaque capability of OSPF. Using the undo opaque-capability command, you can disable the Opaque capability of OSPF.
2-238 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Format
opaque-capability enable undo opaque-capability
Parameters
None
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, Opaque capability of OSPF is disabled. If the application based on Opaque LSA is enabled, for example, the area TE capability is enabled, the Opaque capability cannot be disabled.
Examples
# Enable Opaque capability.
<Eudemon> system-view [Eudemon] ospf 100 [Eudemon-ospf-100] opaque-capability enable
2.13.38 ospf
Function
Using the ospf command, you can enable the OSPF protocol. Using the undo ospf command, you can disable the OSPF protocol.
Format
ospf process-id [ router-id router-id ] [ vpn-instance vpn-instance-name ] undo ospf [ process-id ]
Parameters
process-id: specifies the number of OSPF. The value is an integer ranging from 1 to 65535. By default, the number is 1. router-id: specifies the router ID used in OSPF process in dotted decimal format. vpn-instance vpn-instance-name: specifies VPN instance. The name of the VPN instance is a string of 1 to 19 characters.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-239
2 Internetworking
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the system does not run the OSPF protocol. You can specify run multiple OSPF processes on the device by specifying different process IDs. To do that, it is suggested to specify a device ID for each process with the parameter router-id.
Examples
# Enable the running of the OSPF protocol.
<Eudemon> system-view [Eudemon] router id 10.110.1.8 [Eudemon] ospf [Eudemon-ospf-1]
Format
ospf authentication-mode { simple password | md5 key-id key } undo ospf authentication-mode { simple | md5 }
Parameters
simple: indicates simple authentication. password: specifies the plain authentication key. It is a string of 1 to 8 characters. md5: indicates MD5 authentication. key-id: specifies the ID of the authentication key in MD5 cipher text authentication mode. The value is an integer ranging from 1 to 255.
2-240 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
key: specifies the MD5 authentication key. If it is input in a simple form, MD5 key is a character string of 8 to 16 characters. And it is displayed in a cipher text form in a length of 24 characters when display current-configuration command is executed. Inputting the 24-character MD5 key in a cipher text form is also supported.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the interface does not authenticate the OSPF packets. The passwords for authentication keys of the devices on the same network segment must be identical. In addition, using the authentication-mode command, you can set the authentication type of the area authentication key so as to validate the configuration.
Examples
# Set the area 1 where the network segment 131.119.0.0 of Interface GigabitEthernet 0/0/0 is located to support MD5 cipher text authentication. The authentication key identifier is set to 15 and the authentication key is testkeya.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] area 1 [Eudemon-ospf-1-area-0.0.0.1] network 131.119.0.0 0.0.255.255 [Eudemon-ospf-1-area-0.0.0.1] authentication-mode md5 [Eudemon-ospf-1-area-0.0.0.1] quit [Eudemon-ospf-1] quit [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ospf authentication-mode md5 15 testkeya
Format
ospf cost value undo ospf cost
Parameters
value: specifies the cost for running OSPF protocol. The value is an integer ranging from 1 to 65535.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-241
2 Internetworking
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the interface automatically calculates the cost required for running OSPF protocol according to the current baud rate.
Examples
# Specify the cost spent when an interface runs OSPF as 33.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ospf cost 33
Format
ospf dr-priority priority-number undo ospf dr-priority
Parameters
priority-number: specifies an interface priority for electing the "designated router". The value is an integer ranging from 0 to 255.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the interface priority for electing the "designated router" is 1.
2-242 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Interface priority determines the interface qualification when electing the "designated router". The interface with high priority is considered first when there is collision in election. If the priority of a router is 0, the router is no longer elected as the DR or the BDR.
Examples
# Set the priority of the interface GigabitEthernet 0/0/0 to 8, when electing the DR.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ospf dr-priority 8
Format
ospf mib-binding process-id undo ospf mib-binding
Parameters
process-id: specifies the number of an OSPF process. The value is an integer ranging from 1 to 65535.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, MIB operation is bound on the first enabled OSPF process. MIB operation is always bound on the first process enabled by OSPF protocol. Using this command, MIB operation can be bound on other OSPF processes. Using the undo ospf mibbinding command, you can cancel the binding. MIB operation is rebound automatically by OSPF protocol on the first enabled process.
Examples
# Bind MIB operation on OSPF process 100.
<Eudemon> system-view [Eudemon] ospf mib-binding 100
Issue 03 (2009-06-18)
2-243
2 Internetworking
Format
ospf mtu-enable undo ospf mtu-enable
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the MTU value is 0 when sending DD packets, that is, the actual MTU value of the interface is not written. DD packets are used to describe its own LSDB when the device running OSPF protocol is synchronizing the database. The default MTU value of DD packet is 0. With this command, the specified interface can be set manually to write the MTU value area in DD packets when sending DD packets, that is, the actual MTU value of the interface is written in.
Examples
# Set interface GigabitEthernet 0/0/0 to write MTU value area when sending DD packets.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ospf mtu-enable
2 Internetworking
Function
Using the ospf network-type command, you can configure the network type of OSPF interface. Using the undo ospf network-type command, you can restore the default network type of the OSPF interface.
Format
ospf network-type { broadcast | nbma | p2mp | p2p } undo ospf network-type
Parameters
broadcast: sets the interface network type to broadcast. nbma: sets the interface network type to Non-Broadcast Multicast Access (NBMA). p2mp: sets the interface network type to point-to-multipoint (p2mp). p2p: sets the interface network type to point-to-point (p2p).
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
OSPF divides networks into four types by link layer protocol:
l l
Broadcast: If Ethernet or FDDI is adopted, OSFP defaults the network type to broadcast. NBMA: If Frame Relay, ATM, HDLC or X.25 is adopted, OSPF defaults the network type to NBMA. p2mp: OSPF will not default the network type of any link layer protocol to p2mp. The general undertaking is to change a partially connected NBMA network to p2mp network if the NBMA network is not fully-meshed. p2p : If PPP or LAPB is adopted, OSPF defaults the network type to p2p.
If there is a device not supporting multicast address on the broadcast network, the interface network type can be changed to NBMA. The interface network type can also be changed from NBMA to broadcast. A network that can be called an NBMA network or can be changed to a broadcast network should satisfy the following condition: there is a virtual circuit directly connects any two devices on the network. In other words, the network is full-meshed. If the network cannot satisfy this condition, the interface network type must be changed to point-to-multipoint. In this way, these two devices can exchange routing information via a device directly connected with the two devices. If there are only two devices running OSPF protocol on the same network segment, the interface network type can be changed to point-to-point.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-245
2 Internetworking
NOTE
When the network type of an interface is NBMA or it is changed to NBMA manually, the peer (OSPF view)command must be used to configure the neighboring point.
Examples
# Set the interface GigabitEthernet 0/0/0 to NBMA type.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ospf network-type nbma
Format
ospf timer dead seconds undo ospf timer dead
Parameters
seconds: specifies the dead interval of the OSPF neighbor. The value is an integer ranging from 1 to 65535 seconds.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the dead interval for the OSPF neighbors of p2p and broadcast interfaces is 40 seconds, and for those of p2mp and nbma interfaces is 120 seconds. The dead interval of OSPF neighbors means that within this interval, if no Hello message is received from the neighbor, the neighbor is considered to be invalid. The value of dead seconds should be at least 4 times of that of the Hello seconds. The dead seconds for the devices on the same network segment must be identical.
Examples
# Set the neighbor dead interval on the interface GigabitEthernet 0/0/0 to 80 seconds.
2-246 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Format
ospf timer hello seconds undo ospf timer hello
Parameters
seconds: specifies an interval for an interface to transmit hello message. The value is an integer ranging from 1 to 255 seconds.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the interval is 10 seconds for an interface of p2p or broadcast type to transmit Hello messages, and 30 seconds for an interface of nbma or p2mp type.
Examples
# Set the interval of transmitting Hello messages on the interface GigabitEthernet 0/0/0 to 20 seconds.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ospf timer hello 20
2 Internetworking
Format
ospf timer poll seconds undo ospf timer poll
Parameters
seconds: specifies the poll Hello messages interval. The value is an integer ranging from 1 to 65535 seconds.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the poll Hello message interval is 120 seconds. On the NBMA network, if a neighbor is invalid, the Hello message is transmitted regularly according to the poll seconds. You can configure the poll seconds to specify how often the interface transmits Hello message before it establishes adjacency with the adjacent device. The value of poll seconds should be no less than 3 times of that of Hello seconds.
Examples
# Transmit poll Hello message from interface GigabitEthernet 0/0/0 every 130 seconds.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ospf timer poll 130
Format
ospf timer retransmit interval undo ospf timer retransmit
2-248 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
interval: sets an interval for re-transmitting LSA on an interface. The value is an integer ranging from 1 to 65535 seconds.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the interval for LSA re-transmitting on an interface is 5 seconds. If a Eudemon running OSPF transmits a "link state advertisement"(LSA) to the peer, it needs to wait for the acknowledgement packet from the peer. If no acknowledgement is received from the peer within the LSA retransmission, this LSA is re-transmitted. According to RFC 2328, the LSA retransmission between adjacent devices should not be set too short. Otherwise, unexpected retransmission is caused.
Examples
# Specify the retransmission for LSA transmitting between the interface GigabitEthernet 0/0/0 and the adjacent devices to 12 seconds.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ospf timer retransmit 12
Format
ospf trans-delay seconds undo ospf trans-delay
Parameters
seconds: specifies a transmitting delay of LSA on an interface. The value is an integer ranging from 1 to 3600 seconds.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-249
2 Internetworking
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the transmitting delay is 1 second. LSA will age in the "link state database" (LSDB) of the Eudemon as time goes by (add 1 for every second), but it will not age during network transmission. Therefore, it is necessary to add a period of time set by this command to the aging time of LSA before transmitting it.
Examples
# Specify the trans-delay of transmitting LSA on the interface GigabitEthernet 0/0/0 as 3 seconds.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ospf trans-delay 3
Format
peer ip-address [ dr-priority priority] undo peer ip-address
Parameters
ip-address: specifies the IP address of the neighboring point, in dotted-decimal format. dr-priority priority: specifies priority of neighboring device in the network. The value is an integer ranging from 0 to 255. By default, the value is 1.
Views
OSPF view
Default Level
2: Configuration level
2-250 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
On NBMA network, a full-meshed network (that is, there is a VC directly connecting any two devices on the network) can be implemented by configuring map. Thus OSPF can perform in the same way in the frame relay network as in the broadcast network (such as electing DR and BDR). However, the IP address of adjacent devices and their election rights must be configured manually for the interface because adjacent devices cannot be found dynamically by advertising Hello messages.
Examples
# Configure the address of the peer neighbor as 10.1.1.1 in the OSPF process 1.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] peer 10.1.1.1
Format
preference [ ase ] preference-value undo preference [ ase ]
Parameters
preference-value: specifies the preference of OSPF routes. The value is an integer ranging from 1 to 255. ase: refers to the preference of an imported external route of the AS.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
Each route protocol has its preference. Its default value depends on the specific routing policy. The preference determines the routing algorithm adopted by a route in the IP route table to obtain the best route. You can use the preference or undo preference command to manually adjust the OSPF preference.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-251
2 Internetworking
Examples
# Specify the preference of an external imported route of the AS as 160.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] preference ase 160
Format
reset ospf [ statistics ] { all | process-id }
Parameters
process-id: specifies an OSPF process number. The value is an integer ranging from 1 to 65535. If no OSPF process number is specified, all the OSPF processes should be reset.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
The reset ospf process-id command can be used to reset the specified process and clear statistics data. Using the reset ospf all command to reset the OSPF process, the following results are expected:
l l l l l l
Clear invalid LSA immediately without waiting for LSA timeout. If the Router ID changes, a new Router ID will take effect by executing the command. Re-elect DR and BDR conveniently. OSPF configuration will not be lost if the system is restarted. Delete the original OSPF routes. After OSPF process is restarted, new routes and LSA is generated correspondingly and LSA is advertised.
The system will require the user to confirm whether to re-enable the OSPF protocol after execution of the command.
2-252 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Reset all the OSPF processes.
<Eudemon> reset ospf all
2.13.53 router id
Function
Using the router id command, you can configure the ID of a device running the OSPF protocol. Using the undo router id command, you can cancel the device ID that has been configured.
Format
router id router-id undo router id
Parameters
router-id: specifies the ID of a device, in dotted-decimal format.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, use the smallest IP address of all the device interfaces as the device ID. Device ID is a 32-bit unsigned integer that uniquely identifies a device in an OSPF AS. You can specify the ID for a device. If the user doesn't specify device ID, the device will automatically select one from configured IP address as the ID of this device. If no IP address is configured for any interface of the device, the device ID must be configured in OSPF view. Otherwise, OSPF protocol cannot be enabled. When the device ID is configured manually, the IDs of any two devices cannot be identical in the AS. So, the IP address of certain interface might as well be selected as the ID of this device.
NOTE
Examples
# Set the device ID to 10.1.1.3.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-253
2 Internetworking
<Eudemon> system-view [Eudemon] router id 10.1.1.3
2.13.54 silent-interface
Function
Using the silent-interface command, you can disable an interface to transmit OSPF packet. Using the undo silent-interface command, you can restore the default setting.
Format
silent-interface interface-type interface-number undo silent-interface interface-type interface-number
Parameters
interface-type: specifies the type of an interface. interface-number: specifies the number of an interface.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, the interface is enabled to transmit OSPF packet. You can use this command to disable an interface to transmit OSPF packet, so as to prevent the device on some network from receiving the OSPF routing information. Different processes can disable the same interface to transmit OSPF packet. While silentinterface command only takes effect on the interface enabled with OSPF by this process, being invalid for the interface enabled by other processes.
Examples
# Disable interface GigabitEthernet 0/0/0 to transmit OSPF packet.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] silent-interface GigabitEthernet 0/0/0
# Disable interface GigabitEthernet 0/0/0 to transmit OSPF packet in both OSPF process 100 and OSPF process 200.
<Eudemon> system-view [Eudemon] router id 10.110.1.9 [Eudemon] ospf 100 [Eudemon-ospf-100] silent-interface GigabitEthernet 0/0/0
2-254
Issue 03 (2009-06-18)
2 Internetworking
Format
snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa | nbrstatechange | originatelsa | vifauthfail | vifcfgerror | virifrxbadpkt | virifstatechange | viriftxretransmit | virnbrstatechange ] undo snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa | nbrstatechange | originatelsa | vifauthfail | vifcfgerror | virifrxbadpkt | virifstatechange | viriftxretransmit | virnbrstatechange ]
Parameters
process-id: indicates the OSPF process number. The value ranges from 1 to 65535. By default, it is 1. ifauthfail: indicates failure of the interface authentication. ifcfgerror: indicates errors of the interface configuration. ifrxbadpkt: indicates received bad packets. ifstatechange: indicates changes of the interface state. iftxretransmit: indicates sending and receiving of packets on the interface. lsdbapproachoverflow: indicates LSDB approaching Overflow. lsdboverflow: indicates LSDB overflow. maxagelsa: indicates Max Age of LSA. nbrstatechange: indicates changes of the neighbor state. originatelsa: indicates LSAs that are locally generated. vifauthfail: indicates failure of the virtual interface authentication. vifcfgerror: indicates error of the virtual interface configuration. virifrxbadpkt: indicates the bad packet that is received on the virtual interface. virifstatechange: indicates changes of the virtual interface state.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-255
2 Internetworking
viriftxretransmit: indicates sending and receiving of packets on the virtual interface. virnbrstatechange: indicates changes of the state for the neighbor of the virtual interface.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
This command takes no effect on the OSPF process enabled after its execution. By default, no OSPF process is enabled to transmit TRAP packets.
Examples
# Send trap packets of all OSPF processes.
<Eudemon> system-view [Eudemon] snmp-agent trap enable ospf
2.13.56 spf-schedule-interval
Function
Using the spf-schedule-interval command, you can set the route calculation interval of OSPF. Using the undo spf-schedule-interval command, you can restore the default setting.
Format
spf-schedule-interval seconds undo spf-schedule-interval
Parameters
seconds: specifies the SPF calculation interval. The value is an integer ranging from 1 to 10 seconds.
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, the value is 5 seconds.
2-256 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
According to the Link State Database (LSDB), the device running OSPF can calculate the shortest path tree taking itself as the root and determine the next hop to the destination network according to the shortest path tree. By adjusting SPF calculation interval, network frequently changing can be restrained, which may lead to that too many bandwidth resources and device resources will be used.
Examples
# Set the OSPF route calculation interval of Eudemon to 6 seconds.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] spf-schedule-interval 6
2.13.57 stub
Function
Using the stub command, you can set the type of an OSPF area as the STUB area. Using the undo stub command, you can cancel the settings.
Format
stub [ no-summary ] undo stub
Parameters
no-summary: disables ABR to transmit Summary LSAs to the STUB area.
Views
OSPF area view
Default Level
2: Configuration level
Usage Guidelines
By default, no area is set to be the STUB area. Using the stub command, you can configure an area as "stub". If the device is an ABR, it will send a default route to the connected stub area. Using the default-cost command, you can set the default route cost value. In addition, you can prevent type-3 LSA from entering the stub area connected with the ABR by setting no-summary parameter to stub command on the ABR.
Examples
# Set the type of OSPF area 1 to the STUB area.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-257
2 Internetworking
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] area 1 [Eudemon-ospf-1-area-0.0.0.1] stub
2.13.58 vlink-peer
Function
Using the vlink-peer command, you can create and configure a virtual link. Using the undo vlink-peer command, you can cancel an existing virtual link.
Format
vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | simple password | md5 key-id key ] * undo vlink-peer router-id
Parameters
router-id: specifies the device ID of a virtual link neighbor in dotted decimal notation. hello seconds: specifies an interval for transmitting hello message. The value is an integer ranging from 1 to 8192 seconds. This value must equal the hello seconds value of the device virtually linked to the interface. By default, the value is 10 seconds. retransmit seconds: specifies the interval for re-transmitting the LSA packets on an interface. The value is an integer ranging from 1 to 8192 seconds. By default, the value is 5 seconds. trans-delay seconds: specifies the interval for delaying transmitting LSA packets on an interface. The value is an integer ranging from 1 to 8192 seconds. By default, the value is 1 second. dead seconds: specifies the interval of death timer. The value is an integer ranging from 1 to 8192 seconds. This value must equal the dead seconds of the device virtually linked to it and must be at least 4 times of the hello seconds. By default, the value is 40 seconds. simple password: specifies the simple text authentication key, not exceeding 8 characters, of the interface. This value must equal the authentication key of the virtually linked neighbor. key-id: specifies the MD5 authentication key ID. The value is an integer ranging from 1 to 255. It must be equal to the authentication key ID of the virtually linked neighbor. key: specifies the authentication key on an interface. A plain text password is a consecutive character string of 8 to 16 characters. This value must equal the authentication key of the virtually linked neighbor. The length of an encrypted password must be 24 characters in encrypted text.
Views
OSPF area view
Default Level
2: Configuration level
2-258 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Usage Guidelines
When configuring virtual link authentication, the authentication-mode (OSPF Area View) command is used to set the authentication mode as MD5 cipher text or simple text on the backbone network.
Examples
# Create a virtual link to 10.110.0.3 and use the MD5 cipher text authentication mode.
<Eudemon> system-view [Eudemon] ospf [Eudemon-ospf-1] area 10.0.0.0 [Eudemon-ospf-1-area-10.0.0.0] vlink-peer 10.110.0.3 md5 3 vlinkkey
Format
vpn-instance-capability simple undo vpn-instance-capability
Parameters
None
Views
OSPF view
Default Level
2: Configuration level
Usage Guidelines
By default, the routing-loop check is enabled. The command takes effect only on the VPN instance of OSPF.
Examples
# Disable the routing-loop check.
<Eudemon> system-view [Eudemon] ospf 10 router-id 1.1.1.2 vpn-instance vpn1 [Eudemon-ospf-10] vpn-instance-capability simple
Issue 03 (2009-06-18)
2-259
2 Internetworking
Format
ppp authentication-mode { chap [ pap ] | pap } undo ppp authentication-mode
Parameters
chap: authenticates the peer in CHAP mode. pap: authenticates the peer in PAP mode.
Views
Virtual template interface view
Default Level
2: Configuration level
Usage Guidelines
By default, no authentication is carried out. There are two PPP authentication algorithms:
l l
PAP is a 2-way handshake authentication, which sends the password in plain text. CHAP is a 3-way handshake authentication, which sends the password in encrypted text.
2 Internetworking
Whether the authentication succeeds or not depends on AAA, which can authenticate on the basis of the local authentication database or AAA server.
Examples
# Authenticate the peer device by means of PAP on interface VT.
<Eudemon> system-view [Eudemon] interface virtual-template 1 [Eudemon-Virtual-Template1] ppp authentication-mode pap
Format
ppp chap password { simple | cipher } password undo ppp chap password
Parameters
password: specifies the password. It is character string, whose length ranges from 1 to 16. simple: displays the password in plain text. cipher: displays the password in encrypted text.
Views
Virtual template interface view
Default Level
2: Configuration level
Usage Guidelines
While configuring CHAP authentication, you should set the local password as the password of the peer user.
Examples
# Set the user password as testpwd in plain text when the local Eudemon perform the authentication via CHAP.
<Eudemon> system-view [Eudemon] interface virtual-template 1 [Eudemon-Virtual-Template1] ppp chap password simple testpwd
Issue 03 (2009-06-18)
2-261
2 Internetworking
Format
ppp chap user user-name undo ppp chap user
Parameters
user-name: specifies the user name of CHAP authentication. IThe value is a string of 1 to 64 characters.
Views
Virtual template interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the user name of the CHAP authentication is blank. While configuring CHAP authentication, you should set the user-name of each end as the user of the peer end, and set the corresponding password accordingly.
Examples
# Set the local user name as Eudemon when CHAP authentication is performed on interface Virtual-Template1.
<Eudemon> system-view [Eudemon] interface virtual-template 1 [Eudemon-Virtual-Template1] ppp chap user Eudemon
2 Internetworking
Format
ppp ipcp dns {admit-any | primary-dns-address [ secondary-dns-address ] } undo ppp ipcp dns { primary-dns-address [ secondary-dns-address ] | admit-any }
Parameters
primary-dns-address: specifies the IP address of the primary DNS server. secondary-dns-address: specifies the IP address of the secondary DNS server. admit-any: receives any DNS address requested by the peer.
Views
Virtual template interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the device does not provide the address of DNS server for the peer. The Eudemon can provide the addresses of the primary and secondary DNS servers for the peer.
Examples
# Configure the primary DNS server address of the local Eudemon as 100.1.1.1, and the secondary DNS server address as 100.1.1.2.
<Eudemon> system-view [Eudemon] interface virtual-template 1 [Eudemon-Virtual-Template1] ppp ipcp dns 100.1.1.1 100.1.1.2
Format
ppp pap local-user user-name password { simple | cipher } password undo ppp pap local-user
Parameters
user-name: specifies a username sent to be authenticated by the peer.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-263
2 Internetworking
password: specifies the password sent to be authenticated by the peer. simple: sets the password in plain text. cipher: sets the password in encrypted text.
Views
Virtual template interface view
Default Level
2: Configuration level
Usage Guidelines
By default, when the local device is authenticated by the peer device through the PAP method, both the username and the password sent by the local device are empty. When the local device is authenticated via the PAP method by the peer device, the username and password sent by the local device must be the same as the user and password of the peer device.
Examples
# Set the username of the local device authenticated by the peer end through the PAP method as testuser and the password as testpwd.
<Eudemon> system-view [Eudemon] interface virtual-template 1 [Eudemon-Virtual-Template1] ppp pap local-user testuser password simple testpwd
Format
ppp timer negotiate interval undo ppp timer negotiate
Parameters
interval: specifies the time of negotiation timeout in seconds. The time ranges from 1 to 10 seconds. By default, the PPP timeout is 3 seconds.
Views
Virtual template interface view
2-264 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
During the PPP negotiation, if the local end does not receive the response packet of the peer end, PPP will resend the last packet.
Examples
# Set the PPP negotiation timeout to 5 seconds.
<Eudemon> system-view [Eudemon] interface virtual-template 1 [Eudemon-Virtual-Template1] ppp timer negotiate 5
2 Internetworking
2.15.22 display bgp routing-table dampened 2.15.23 display bgp routing-table different-origin-as 2.15.24 display bgp routing-table flap-info 2.15.25 display bgp routing-table peer 2.15.26 display bgp routing-table regular-expression 2.15.27 group (BGP View or VPN-Instance View) 2.15.28 import-route (BGP View) 2.15.29 ipv4-family 2.15.30 network (BGP View) 2.15.31 peer advertise-community (BGP) 2.15.32 peer allow-as-loop (BGP) 2.15.33 peer as-number 2.15.34 peer as-path-acl export 2.15.35 peer as-path-acl import 2.15.36 peer connect-interface (BGP) 2.15.37 peer default-route-advertise (BGP) 2.15.38 peer description (BGP) 2.15.39 peer ebgp-max-hop 2.15.40 peer enable (BGP) 2.15.41 peer filter-policy export (BGP) 2.15.42 peer filter-policy import (BGP) 2.15.43 peer group (BGP) 2.15.44 peer ip-prefix export (BGP) 2.15.45 peer ip-prefix import (BGP) 2.15.46 peer listen-only 2.15.47 peer next-hop-local (BGP) 2.15.48 peer password 2.15.49 peer public-as-only (BGP) 2.15.50 peer reflect-client (BGP) 2.15.51 peer route-policy export (BGP) 2.15.52 peer route-policy import (BGP) 2.15.53 peer route-update-interval (BGP) 2.15.54 peer timer
2-266 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
2.15.55 preference (BGP) 2.15.56 reflect between-clients (BGP) 2.15.57 reflector cluster-id (BGP) 2.15.58 refresh bgp 2.15.59 reset bgp 2.15.60 reset bgp dampening 2.15.61 reset bgp flap-info 2.15.62 reset bgp group 2.15.63 summary automatic (BGP) 2.15.64 timer keepalive hold (BGP)
2.15.1 aggregate
Function
Using the aggregate command, you can create an aggregated record in the BGP routing table. Using the undo aggregate command, you can disable the function.
Format
aggregate ip-address mask [ as-set | attribute-policy policy-name1 | detail-suppressed | origin-policy policy-name2 | suppress-policy policy-name3 ] * undo aggregate ip-address mask
Parameters
ip-address: specifies the IP address of the aggregated route in dotted decimal notation. mask: specifies mask of the aggregated route. The mask is in the dotted decimal format. as-set: generates routes that have AS sets, including AS path information about specific routes. When aggregating many AS paths, use this parameter with caution to avoid frequent route flapping. attribute-policy policy-name1: specifies the name of the attribute-policy for the aggregated routes. The name is a string of 1 to 19 characters. detail-suppressed: advertises only the aggregated routes rather than any specific route. To filter out some of the routes, run the peer filter-policy command. origin-policy policy-name2: specifies the name of the origin-policy that allows generating aggregated routes. The name is a string of 1 to 19 characters. suppress-policy policy-name3: specifies the name of the suppress-policy that suppresses the advertisement of specified routes. The name is a string of 1 to 19 characters.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-267
2 Internetworking
Views
BGP view, multicast sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, the routes are not aggregated.
Examples
# Create an aggregated route 192.168.213.0 255.255.0.0 in the BGP routing table.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] aggregate 192.213.0.0 255.255.0.0
2.15.2 balance
Function
Using the balance command, you can configure the number of routes performing BGP load sharing. Using the undo balance command, you can restore the default value.
Format
balance number undo balance
Parameters
number: Specifies the number of BGP routes for load sharing. The value range from 1 to 3. When number is 1, it indicates there is no route for load sharing.
Views
BGP view
Default Level
2: Configuration level
Usage Guidelines
By default, no load sharing is performed. Different from IGP protocol, there is no specific metric for BGP to perform load sharing. The load sharing of BGP is implemented by changing its routing rules.
2-268 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Configure 2 routes to perform load sharing.
<Eudemon> system-view [Eudemon] bgp 100 [Eudemon-bgp] balance 2
2.15.3 bgp
Function
Using the bgp command, you can enable BGP and enter the BGP view. Using the undo bgp command, you can disable BGP.
Format
bgp as-number undo bgp [ as-number ]
Parameters
as-number: Specifies the local AS number. The value is an integer ranging from 1 to 65535.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
NOTE
All BGP configurations are deleted after you use the undo bgp command. So, confirm the action before you use the command.
By default, BGP is not enabled. This command is used to enable and disable BGP as well as to specify the local AS number of BGP. One device runs in only one AS. That is, only one as-number is specified.
Examples
# Enable BGP and set the local AS number to 100.
<Eudemon> system-view [Eudemon] bgp 100 [Eudemon-bgp]
2 Internetworking
Function
Using the compare-different-as-med command, you can compare the MED values of routes among peers from different ASs. Using the undo compare-different-as-med command, you can disable the comparison.
Format
compare-different-as-med undo compare-different-as-med
Parameters
None
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, the comparison of the MED values of routes among peers from different ASs is disabled. If there are many reachable paths to the same destination, you can choose the route with smaller as the actual used entry. Do not use this command unless you can ensure that different ASs use the same IGP and routing selection mode.
Examples
# Enable the comparison of the MED values of routes among peers from different ASs.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] compare-different-as-med
2.15.5 confederation id
Function
Using the confederation id command, you can configure confederation identifier. Using the undo confederation id command, you can cancel the BGP confederation that is specified by as-number.
2-270 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Format
confederation id as-number undo confederation id
Parameters
as-number : specifies the number of the AS which contains multiple sub-ASs. It is in the range of 1 to 65535.
Views
BGP view
Default Level
2: Configuration level
Usage Guidelines
By default, no confederation ID is configured. To solve the problem that a large AS may contain too large a full-meshed IBGP, you can use the method of confederation. Divide the AS into multiple small ASs and group them into a confederation. Some key IGP attributes of routes, such as next hop, MED and the local preference are not dropped when these routes pass the sub-AS. Because seen from the outside, the confederation is still a complete entity. Thus, the completeness of the original AS is reserved and the excessive connections are reduced. The confederation ID is equal to the number of the entire AS. The other external AS must specify the confederation ID when specifying the AS number of the peer. All the sub-ASs in the same confederation must be configured with the same confederation ID.
Examples
# Configure confederation ID. An AS is divided into sub-AS 38, 39, 40, and 41, and their confederation ID is 9. Peer 1.2.3.4 are members of the AS confederation. A peer 3.4.5.6 is a member outside the AS confederation. For the external members, confederation 9 is a complete AS.
<Eudemon> system-view [Eudemon] bgp 41 [Eudemon-bgp] confederation id 9 [Eudemon-bgp] confederation peer-as 38 39 40 [Eudemon-bgp] peer 1.2.3.4 as-number 38 [Eudemon-bgp] peer 3.4.5.6 as-number 98
2 Internetworking
Format
confederation nonstandard undo confederation nonstandard
Parameters
None
Views
BGP view
Default Level
2: Configuration level
Usage Guidelines
By default, the configured confederation accords with RFC3065. To make nonstandard devices interwork, you must configure the command on all devices in a confederation.
Examples
# Enable the device to be compatible with the nonstandard devices. The AS100 contains two sub-Ass, AS64000 and AS65000.
<Eudemon> system-view [Eudemon] bgp 64000 [Eudemon-bgp] confederation id 100 [Eudemon-bgp] confederation peer-as 65000 [Eudemon-bgp] confederation nonstandard
Format
confederation peer-as as-number&<1-32> undo confederation peer-as as-number&<1-32>
Parameters
as-number : specifies the sub-AS number. It is in the range of 1 to 65535. As many as 32 subAss can be configured to belong to the confederation.
2-272 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
BGP view
Default Level
2: Configuration level
Usage Guidelines
By default, no sub-AS number of the confederation is configured. The sub-ASs configured in this command belong to the same confederation, and each sub-AS uses fully meshed network. The confederatino id command specifies the confederation ID of each sub-AS. If the confederation ID is not configured, this command is invalid.
Examples
# Configure a sub-AS for the confederation.
<Eudemon> system-view [Eudemon] bgp 1090 [Eudemon-bgp] confederation id 100 [Eudemon-bgp] confederation peer-as 1091 1092 1093
2.15.8 dampening
Function
Using the dampening command, you can enable BGP route flap damping or modify various BGP route flap damping parameters. Using the undo dampening command, you can disable the route flap damping.
Format
dampening [ half-life-reachable half-life-unreachable reuse suppress ceiling ] [ route-policy policy-name ] undo dampening
Parameters
half-life-reachable: specifies the half life reachable of a route in minute. The value ranges from1 to 45. By default, it is 15. half-life-unreachable: specifies the half life unreachable of a route in minutes. The value ranges from 1 to 45. By default, it is 15. reuse: specifies the threshold value for the route to be unsuppressed. If the penalty of the route is lower than the value, the route is reused. The value is an integer ranging from 1 to 20000. By default, it is 750. suppress: specifies the threshold value for the route to be suppressed. The route is not used when the penalty reaches the threshold. It must be greater than the value of reuse. The value is an integer ranging from 1 to 20000. By default, it is 2000.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-273
2 Internetworking
ceiling: specifies the ceiling of the threshold. It must be greater than the value of suppress. The value is an integer ranging from 1001 to 20000. By default, it is 16000. route-policy policy-name: specifies the name of the routing policy. The name is a string of 1 to 40 characters.
Views
BGP view
Default Level
2: Configuration level
Usage Guidelines
By default, route flap damping is not configured. In the BGP dampening configuration, the relation between reuse, suppress, and ceiling must be reuse<suppress<ceiling.
Examples
# Enable BGP route flap dampening and modify various BGP route flap damping parameters.
<Eudemon> system-view <Eudemon> bgp 100 [Eudemon-bgp] dampening 10 10 1000 2000 5000 Info: Initializing, please wait a while
Format
debugging bgp [ peer-address [ vpn-instance vpn-instance-name ] ] { all | event | normal | timer | raw-packet [ receive | send ] } debugging bgp [ peer-address [ vpn-instance vpn-instance-name ] ] { keepalive | open | packet | route-refresh } [ receive | send ] [ verbose ] debugging bgp [ peer-address [ vpn-instance vpn-instance-name ] ] { update } [ receive | send ] [ verbose ] [ acl acl-number | ip-prefix prefix-name ] undo debugging bgp [ peer-address [ vpn-instance vpn-instance-name ] ] { all | event | normal | keepalive | open | packet | route-refresh | update | timer | raw-packet }
Parameters
peer-address: Specifies the IP address of the peer, in dotted decimal format. This parameter can be used to set the BGP information debugging of the specified peer.
2-274 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
vpn-instance-name: Specifies the name of VPN instance when the peer is CE. all: Indicates all BGP information debugging. event: Indicates BGP event information debugging. normal: Indicates BGP running information debugging. timer: Indicates BGP timer debugging. raw-packet: Indicates BGP original packet debugging. keepalive: Indicates BGP Keepalive packet debugging. open: Indicates BGP Open packet debugging. packet: Indicates BGP packet debugging. route-refresh: Indicates BGP Route-Refresh packet debugging. update: Indicates BGP Update packet debugging. receive: Indicates receiving information debugging. send: Indicates sending information debugging. verbose: Indicates verbose debugging information. acl: ACL is used to filter update or mp-update debugging information. acl-number: Specifies ACL number. The value is an integer ranging from 2000 to 2999. ip-prefix: Prefix list is used to filter update or mp-update debugging information. prefix-name: Specifies the name of IP prefix list.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, all BGP information debugging is disabled. The parameter peer-address can be used to set information debugging for the specified peer. The preference of configuration for this peer is higher than that of BGP global debugging. Enabling or disabling BGP global debugging will influence all the peers as same as BGP global debugging and options (parameter verbose and acl/ip-prefix filter) including VPN-instance address family. Conversely, debugging of the peer does not affect BGP global debugging. Configuration of the debugging bgp all command and undo debugging bgp all command will affect BGP global debugging and debugging of all the peers. System performance is influenced when information debugging is enabled. Therefore, this command should be used cautiously. You should disable it after debugging.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-275
2 Internetworking
Examples
# Enable the information debugging of BGP packets.
<Eudemon> debugging bgp packet
# Enable the update debugging of BGP peer 1.1.1.1. Filter the output information using prefix list prf1.
<Eudemon> debugging bgp 1.1.1.1 update ip-prefix prf1
Format
default local-preference value undo default local-preference
Parameters
value: Specifies the local preference value. It is an integer ranging from 0 to 4294967295. The greater the value, the higher the preference. By default, its value is 100.
Views
BGP view, sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
The local preference value is only advertised between IBGP peers. Configuring different local preference values will affect BGP routing selection.
Examples
# Set the local preference to 180, which makes the routes that are advertised by the system first selected.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] default local-preference 180
2 Internetworking
Function
Using the default med command, you can configure the system MED value. Using the undo default med command, you can restore the default value.
Format
default med med-value undo default med
Parameters
med-value: Specifies the MED value. It is an integer ranging from 0 to 4294967295. By default, the MED value is 0.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
MED is the external metric of a route. Different from the local preference, MED is exchanged between ASs and stays in the AS. In the case that all other conditions are the same, the system first selects the route with the smaller MED value as the external route of the AS. Setting different MED values results in different route selections. When there are multiple routes for the BGP device to reach the same destination address, the route with smaller MED value is selected first. The MED attribute is exchanged only between EBGP peers.
Examples
# Set the default MED value of BGP to 25.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] default med 25
2 Internetworking
Format
default-route imported undo default-route imported
Parameters
None
Views
BGP view, multicast sub-address family view, VPN instance view
Default Level
2: Configuration level
Usage Guidelines
In order to import a default route, the default-route imported command need to be used together with the import-route command. Because you cannot import the default route by using only the import-route command, and the default-route imported command is used only to import the default route that exists in the local routing table.
Examples
# Import a default route to the BGP routing table.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] default-route imported [Eudemon-bgp] import-route ospf 1
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] group [ group-name ]
Parameters
vpnv4: displays the BGP peer group of VPNv4. all: displays the peer groups of all VPNv4s. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meet the conditions. vpn-instance vpn-instance-name: displays the peer group of the specified VPN instance.
2-278 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the peer group "aaa".
<Eudemon> display bgp group aaa Group : aaa type : external no as-number no member in this group configuration within the group : route-policy specified in export policy : apply_med_100 no export policy filter-policy no export policy acl no export policy ip-prefix no import policy route-policy no import policy filter-policy no import policy acl no import policy ip-prefix
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] network
Parameters
vpnv4: displays the VPNv4 routes that are advertised through the network command. all: displays all the VPNv4 routes that are advertised through the network command. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meet the conditions. vpn-instance vpn-instance-name: displays the routes that are advertised by the specified VPN instance.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-279
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display information about the configured routes.
<Eudemon> display bgp network Network Mask Route-policy ----------------------------------------------------133.1.1.0 255.255.255.0 None 112.1.0.0 255.255.0.0 None
Format
display bgp paths as-regular-expression
Parameters
as-regular-expression: displays the regular express of the matching AS-Path.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the paths containing 200.
<Eudemon> display bgp paths ^200$ Flags: # - valid, ^ - best, D - damped, H - history,I - internal,S - aggregate suppressed
2-280
Issue 03 (2009-06-18)
2 Internetworking
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] peer [ peer-address ] [ verbose ]
Parameters
vpnv4: displays the peers of VPNv4. all: displays all the peers of VPNv4. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meets the conditions. vpn-instance vpn-instance-name: displays the peers of VPN-instance. peer-address: specifies the IP address of the peer. It is in dotted decimal format. verbose: displays the detailed information of the peer.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the peers.
<Eudemon> display bgp peer Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State ------------------------------------------------------------------1.1.1.10 300 4 0 3 5 00:00:10 Established 2.2.2.11 100 4 0 0 0 Never Idle
Table 2-39 shows the description of the display bgp peer command output.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-281
2 Internetworking
Table 2-39 Description of the display bgp peer command output Item Peer AS-num Ver Queued-Tx Msg-Rx Msg-Tx Up/Down State Description IP address of the peer AS number of the peer BGP version of the peer Number of packets in the sending queue Number of messages received by the peer Number of messages sent to the peer Time during which the BGP session is in current state The peer status
Table 2-40 shows the description of the display bgp peer verbose command output. Table 2-40 Description of the display bgp peer verbose command output Item Peer: 1.1.1.10+1024 Local: 1.1.1.20+179 Type: Internal Description IP address of the peer and port number for setting up TCP connections IP address of the local BGP and port number for setting up TCP connections Type of BGP peer:
l l
Internal indicates the peer is a IBGP peer External indicates the peer is a EBGP peer
Issue 03 (2009-06-18)
2-282
2 Internetworking
Item State: Established Expiring Time: 00:02:49 Last State: OpenConfirm Last Event: RecvKeepAlive Peer capabilities Route refresh
Description Current state of the peer Expiry time of the peer (available only to peers in Established state) State before the current state Last event that causes state change Result of peer capability negotiation Route refreshing capability:
l l
advertised indicates that routes can be advertised received indicates that routes can be received
Capability of the IPv4 unicast address family Capability of the IPv4 multicast address family Capability of the IPv4 VPN address family
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] routing-table [ ip-address mask | statistic ]
Parameters
multicast: specifies the multicast BGP routing information in BGP routing table. vpnv4: specifies the VPNv4 routing information. all: displays the routing information about all VPNv4s. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meets the conditions.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-283
2 Internetworking
vpn-instance vpn-instance-name: displays the routing information about the specified VPN instance. ip-address: specifies the destination network address, in dotted decimal foramt. mask: specifies the network mask, in dotted decimal format. statistic: indicates the statistic information of routes.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the BGP routing information.
<Eudemon> display bgp routing-table Flags: # - valid ^ - active D - damped H - history I - internal S - aggregate suppressed
Dest/Mask Next-hop Med Local-pref Origin As-path ------------------------------------------------------------------#^ 2.2.2.0/26 0.0.0.0 IGP #^ 6.0.0.0 127.0.0.1 INC #^ 6.6.0.0/16 0.0.0.0 INC #^ 6.7.0.0/16 0.0.0.0 INC #^ 6.8.0.0/16 0.0.0.0 INC #^ 10.110.101.125/32 0.0.0.0 INC #^ 55.0.0.0 0.0.0.0 INC # I 1.1.1.10 100 INC #^I 55.1.0.0/16 1.1.1.10 100 INC #^ 55.1.0.0/24 0.0.0.0 INC #^ 192.168.1.1/32 0.0.0.0 INC
2-284
Issue 03 (2009-06-18)
2 Internetworking
Table 2-41 shows the description of the display bgp vpnv4 routing-table command output. Table 2-41 Description of the display bgp vpnv4 routing-table command output Item Age From Description The period of time from the update time of the routing information Source of the routing information:
l l
local: locally created route For the routing information from the peer, the IP address and Router ID of the peer is displayed, in the format of peer_IP_address (Router_ID), such as 2.2.2.11 (10.110.101.122)
State
valid: valid route sourced: locally created route external: external route best: the best route, that is, the chosen one
Nexthop Origin
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] routing-table as-path-acl as-path-acl-number
Parameters
vpnv4: displays the BGP routing information about a VPNv4. all: displays the BGP routing information about all VPNv4s. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meets the conditions. vpn-instance vpn-instance-name: displays the BGP routing information about the specified VPN instance. as-path-acl-number: specifies the AS path ACL number to be matched. The value is an integer ranging from 1 to 199.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-285
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the routes that match AS path ACL 1.
<Eudemon> display bgp routing-table as-path-acl 1 Flags: # - valid, ^ - best, D - damped, H - history, I - internal, S - aggregate suppressed Dest/Mask Pref Next-Hop Med Local-pref Origin As-path -------------------------------------------------------------------#^ 1.1.1.0/24 170 10.10.10.1 0 IGP 200 #^ 1.1.2.0/24 170 10.10.10.1 0 IGP 200 #^ 1.1.3.0/24 170 10.10.10.1 0 IGP 200 #^ 2.2.3.0/24 256 10.10.10.1 0 INC 200 #^ 4.4.4.0/24 256 10.10.10.1 0 INC 200 #^ 9.9.9.0/24 256 10.10.10.1 0 INC 200 #^ 10.10.10.0/24 256 10.10.10.1 0 IGP 200 #^ 22.1.0.0/16 256 200.1.7.2 100 INC 200 # 88.1.0.0/16 60 0.0.0.0 IGP
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] routing-table cidr
Parameters
vpnv4: displays the BGP routing information about a VPNv4. all: displays the BGP routing information about all VPNv4s. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meets the conditions. vpn-instance vpn-instance-name: displays the BGP routing information about the specified VPN instance.
2-286 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the routing information about the CIDR.
<Eudemon> display bgp routing-table cidr Flags: # - valid, ^ - best, D - damped, H - history, I - internal, S - aggregate suppressed Dest/Mask Pref Next-Hop Med Local-pref Origin As-path ------------------------------------------------------------------#^ 22.1.0.0/16 256 200.1.7.2 100 INC 200 # 88.1.0.0/16 60 0.0.0.0 IGP
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] routing-table community [ aa:nn | no-export-subconfed | no-advertise | no-export ] [ whole-match ]
Parameters
vpnv4: displays the BGP routing information about a VPNv4. all: displays the BGP routing information about all VPNv4s. vpn-instance vpn-instance-name: displays the BGP routing information about the specified VPN instance. aa:nn: Specifies a community number. no-export-subconfed: indicates not to send the matched routes outside the AS. no-advertise: indicates not to send the matched routes to any peer. no-export: indicates not to export routes outside the AS but advertise to other sub-ASs. whole-match: indicates to display the exactly matched routes.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-287
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the routing information matching the specified BGP community number.
<Eudemon> display bgp routing-table community 11:22 Flags: # - valid, ^ - best, D - damped, H - history, I - internal, S - aggregate suppressed Dest/Mask Pref Next-Hop Med Local-pref Origin ------------------------------------------------------------------#^ 1.0.0.0/8 170 172.10.0.2 100 IGP #^ 2.0.0.0/8 256 172.10.0.2 100 IGP As-path
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] routing-table community-list community-list-number [ whole-match ]
Parameters
vpnv4: displays the BGP routing information about a VPNv4. all: displays the BGP routing information about all VPNv4s. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meets the conditions. vpn-instance vpn-instance-name: displays the BGP routing information about the specified VPN instance. community-list-number: specifies a community-list number. The value is an integer ranging from 1 to 199. whole-match: indicates to display the exactly matched routes.
2-288 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the routing information matching BGP community list 1.
<Eudemon> display bgp routing-table community-list 1 Flags: # - valid, ^ - best, D - damped, H - history, I - internal, S - aggregate suppressed Destination/Mask Pref Next-hop Med Local-Pref Origin As-Path -------------------------------------------------------------------1.1.1.0/24 170 10.10.10.1 0 IGP 200 1.1.2.0/24 256 10.10.10.1 0 IGP 200 1.1.3.0/24 170 10.10.10.1 0 IGP 200 2.2.3.0/24 256 10.10.10.1 0 INC 200 4.4.4.0/24 170 10.10.10.1 0 INC 200 9.9.9.0/24 256 10.10.10.1 0 INC 200 10.10.10.0/24 0 10.10.10.2 0 IGP 10.10.10.0/24 256 10.10.10.1 0 IGP 200
Format
display bgp routing-table dampened
Parameters
None
Views
All views
Default Level
1: Monitoring level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-289
2 Internetworking
Usage Guidelines
None
Examples
# View BGP dampened routes.
<Eudemon> display bgp routing-table dampened Flags: # - valid, ^ - best, D - damped, H - history, I - internal, S - aggregate suppressed Dest/Mask Source Damping-limit Origin As-path ----------------------------------------------------------------#D 11.1.0.0 133.1.1.2 1:20:00 IGP 200
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] routing-table different-origin-as
Parameters
vpnv4: displays the BGP routing information about a VPNv4. all: displays the BGP routing information about all VPNv4s. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meets the conditions. vpn-instance vpn-instance-name: displays the BGP routing information about the specified VPN instance.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the routes that have different source ASs.
2-290 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
<Eudemon> display bgp routing-table different-origin-as Flags: # - valid, ^ - best, D - damped, H - history, I - internal, S - aggregate suppressed Destination/Mask Pref Next-hop Med Local-Pref Origin -----------------------------------------------------------------10.10.10.0/24 0 10.10.10.2 0 IGP 10.10.10.0/24 256 10.10.10.1 0 IGP
As-Path 200
Format
display bgp routing-table flap-info [ { regular-expression as-regular-expression } | { aspath-acl as-path-acl-number } | { ip-address [ mask [ longer-match ] ] } ]
Parameters
as-regular-expression: Displays the route flap-info matching AS path regular expression. as-path-acl-number: Specifies the AS path ACL number to be matched. The value is an integer ranging from 1 to 199. ip-address: Indicates the network IP address related to the flap information to be displayed. mask: Specifies the network mask. longer-match: Displays the route flap information that is more specific than ip-address mask.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
When ip-address maskis 0.0.0.0 0.0.0.0, this command will display the flap information of all BGP routes.
Examples
# Display BGP flap information.
<Eudemon> display bgp routing-table flap-info Flags: # - valid, ^ - best, D - damped, H - history, I - internal, S - aggregate suppressed Dest/Mask Source Keepup-time Damping-limit Flap-times Origin As-path -------------------------------------------------------------------#D 11.1.0.0/16 133.1.1.2 48 1:20:30 4 IGP 200
Issue 03 (2009-06-18)
2-291
2 Internetworking
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] routing-table peer peer-address { advertised | received } [ statistic | ipaddress mask ]
Parameters
vpnv4: displays routing information obtained through BGP advertisement between VPNv4 and specified BGP peers or received by specified BGP peers. all: displays routing information obtained through BGP advertisement between all VPNv4s and specified BGP peers or received by specified BGP peers. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meets the conditions. vpn-instance vpn-instance-name: displays routing information obtained through BGP advertisement between specified VPN instances and specified BGP peers or received by specified BGP peers. peer-address: specifies the IP address of the peer, in dotted decimal format. advertised: specifies the routing information advertised to the specified peer. received: specifies the routing information received from the specified peer. statistic: indicates the routing statistics information. ip-address: indicates the IP address of the network. mask: indicates the subnet mask.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the routing information advertised to BGP peer 10.10.10.1.
2-292 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Format
display bgp [ multicast | vpnv4 { all | route-distinguisher rd-value | vpn-instance vpninstance-name } ] routing-table regular-expression as-regular-expression
Parameters
vpnv4: displays routing information (about a VPNv4) that matches the regular expression of the specified AS. all: displays the routing information (about all VPNv4s) that matches the regular expression of the specified AS. route-distinguisher rd-value: displays information about the route distinguisher (RD) that meets the conditions. vpn-instance vpn-instance-name: displays the routing information (about the specified VPN instance) that matches the regular expression of the specified AS. as-regular-expression: Indicates the matched AS regular expression.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the routing information matching the AS regular expression ^[0-9]+.
<Eudemon> display bgp routing-table regular-expression ^[0-9]+ Flags: # - valid ^ - active I - internal D - damped H - history S - aggregate suppressed
Issue 03 (2009-06-18)
2-293
2 Internetworking
Dest/Mask Next-Hop Med Local-pref Origin Path -------------------------------------------------------------------------#^I 12.23.194.0/24 67.0.0.2 100 IGP 100 6762 701 8 14021 #^I 12.31.24.0/24 67.0.0.2 100 IGP 100 6762 701 8 14056 #^I 12.31.159.0/24 67.0.0.2 100 IGP 100 7473 418 1 20457 #^I 12.33.114.0/24 67.0.0.2 100 IGP 100 6762 701 8 13938 #^I 12.41.54.0/24 67.0.0.2 100 IGP 100 6762 701 8 13938 #^I 12.109.107.0/24 67.0.0.2 100 IGP 100 7473 432 3 18862 #^I 12.145.158.0/24 67.0.0.2 100 IGP 100 6762 701 8 14013 #^I 12.155.118.0/24 67.0.0.2 100 IGP 100 6762 701 8 14035 #^I 12.193.82.0/24 67.0.0.2 100 IGP 100 6762 701 8 14009 #^I 38.96.195.0/24 67.0.0.2 100 IGP 100 7473 174 18689
Format
group group-name [ internal | external ] undo group group-name
Parameters
group-name: indicates the name of the peer group.It can be described in character and numeral with the length being 1 to 47. internal: indicates to create an internal peer group. external: indicates to create an external peer group, including other sub-AS groups in the confederation.
Views
BGP view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, IBGP peer is created.
2-294 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
The peer group members cannot be configured with the route update policy which is different from that of the peer group, but can be configured with different ingress policies.
Examples
# Establish an IBGP peer group test.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test
Format
import-route protocol [ med med-value | route-policy policy-name ] * undo import-route protocol
Parameters
protocol: specifies source routing protocols which can be imported, which includes direct, static, ospf, ospf-ase, rip and ospf-nssa. med-value: specifies the MED value of an imported route. The value is an integer ranging from 0 to 4294967295. policy-name: specifies the name of a route-policy to filter the imported route.
Views
BGP view, multicast sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
In the event that the import-route command is configured with a route policy with apply clauses (apply A) to import routes discovered by other protocols, the routes sent to the peer takes effect in turn if the peer is configured with an export route policy with if-match clauses (if-match A). By default, BGP speaker does not import the routes of other protocols.
Examples
# Import the OSPF route whose process ID is 1 to BGP.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-295
2 Internetworking
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] import-route ospf 1
2.15.29 ipv4-family
Function
Using the ipv4-family command, you can enter IPv4 extended address family view of BGP. Using the undo ipv4-family command, you can remove all configurations in extended address family view and return to BGP view.
Format
ipv4-family { multicast | vpn-instance vpn-instance-name | vpnv4 [ unicast ] } undo ipv4-family { multicast | vpn-instance vpn-instance-name | vpnv4 [ unicast ] }
Parameters
multicast: specifies multicast sub-address family. vpn-instance vpn-instance-name: Indicates to associate the specified VPN instance with the IPv4 address family. vpnv4: Specifies VPNv4 sub-address family. unicast: Specifies unicasat sub-address family.
Views
BGP view
Default Level
2: Configuration level
Usage Guidelines
The parameter multicast can be used to enter the multicast sub-address family view and configure multicast extended of MBGP. The parameter vpn-instance can be used to enter VPN instance view and perform relative VPN configuration of MBGP. The parameter vpnv4 can be used to enter VPNv4 sub-address family view and perform relative BGP/MPLS VPN configuration of MBGP.
Examples
# Enter BGP-VPNv4 extended address family view of BGP.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] ipv4-family vpn-instance vpn
2-296
Issue 03 (2009-06-18)
2 Internetworking
Format
network ip-address [ mask ] [route-policy policy-name ] undo network ip-address [ mask ] [route-policy policy-name ]
Parameters
ip-address: Specifies the IP address that BGP advertises, in dotted decimal format. mask: Specifies the mask of the network address. policy-name: Specifies the route-policy applied to advertised routes.
Views
BGP view, multicast sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, the local BGP does not advertise any route.
Examples
# Configure the local device to advertise routes to network segment 10.0.0.0/16.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] network 10.0.0.0 255.255.0.0
2 Internetworking
Format
peer group-name advertise-community undo peer group-name advertise-community
Parameters
group-name: specifies the name of peer group.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, the community attribute is not transmitted to any peer group.
Examples
# Enable the transmission of the community attribute to a peer group "test".
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test advertise-community
Format
peer { group-name | peer-address } allow-as-loop [ number ] undo peer { group-name | peer-address } allow-as-loop
Parameters
group-name: specifies the name of peer group. peer-address: specifies the IP address of the peer, in dotted decimal format. number: specifies the allowed repeating times of local AS number, in the range of 1 to 10. By default, the value is 3.
2-298 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, the local AS number cannot be repeated.
Examples
# Set the repeating times of local AS number to 2.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] peer 1.1.1.1 allow-as-loop 2
Format
peer group-name as-number as-number undo peer group-name as-number
Parameters
group-name: specifies the name of the peer group. as-number: specifies the AS number of the peer/peer group, in the range of 1 to 65535.
Views
BGP view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, no AS number is configured for the peer group.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-299
2 Internetworking
Examples
# Specify the AS number for the peer group "test" as 100.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test external [Eudemon-bgp] peer test as-number 100
Format
peer group-name as-path-acl as-path-acl-number export undo peer group-name as-path-acl as-path-acl-number export
Parameters
group-name: specifies the name of peer group. as-path-acl-number: specifies the filter ACL number of an AS regular expression, in the range of 1 to 199.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, BGP route filtering policy based on AS path ACL is not applied. The peer as-path-acl export command can only be configured for peer groups.
Examples
# Configure peer group test to apply AS path ACL 3 to advertised routes.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test as-path-acl 3 export
2-300
Issue 03 (2009-06-18)
2 Internetworking
Format
peer { group-name | peer-address } as-path-acl as-path-acl-number import undo peer { group-name | peer-address } as-path-acl as-path-acl-number import
Parameters
group-name: specifies the name of peer group. peer-address: specifies the IP address of peer, in dotted decimal format. as-path-acl-number: specifies the filter ACL number of an AS regular expression, in the range of 1 to 199. import: apply route filtering policy to received routes.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, BGP route filtering policy based on AS path ACL is not applied. The preference of inbound filtering policy of the peer is higher than that of the peer group.
Examples
# Configure peer group "test" to apply AS path ACL 3 to received routes.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test as-path-acl 3 import
Issue 03 (2009-06-18)
2-301
2 Internetworking
Format
peer { group-name | peer-address } connect-interface interface-type interface-number undo peer { group-name | peer-address } connect-interface
Parameters
group-name: specifies the name of the peer group. peer-address: specifies the IP address of the peer, in dotted decimal format. interface-type: specifies the interface type. interface-number: specifies the interface number.
Views
BGP view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, BGP uses the source interface of the best route update packet. BGP uses the physical interface that directly connects with the neighbor as the local interface of TCP connections. BGP uses TCP as the transport layer protocol. To improve the reliability of TCP connection, you can specify a local Loopback interface as the source interface of update packets.
Examples
# Specify peer group testto use Loopback interface 1 as the source interface of update packets.
<Eudemon> system-view [Eudemon] interface loopback 1 [Eudemon-LoopBack1] quit [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test connect-interface loopback 1
2 Internetworking
Function
Using the peer default-route-advertise command, you can advertise a default route to the peer. Using the undo peer default-route-advertise command, you can cancel the existing configuration.
Format
peer group-name default-route-advertise undo peer group-name default-route-advertise
Parameters
group-name: specifies the name of peer group.
Views
BGP view, multicast sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, BGP does not advertise default route to the peer. After the peer default-route-advertise command is executed, a default route is sent unconditionally to a peer with the next hop as itself, no matter whether there is default route in the local routing table. The advertised default route is not added into the table. The preference of the default route is higher than that of the default route in the local routing table.
Examples
# Specify a peer group "test" to import the default route.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test default-route-advertise
2 Internetworking
Format
peer { group-name | peer-address } description description-line undo peer { group-name | peer-address } description
Parameters
group-name: specifies the name of peer group. peer-address: specifies the IP address of the peer, in dotted decimal format. description-line: indicates the description information configured, in character string with the maximum length 79.
Views
BGP view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, description information of peer/peer group is not configured. Description information of a peer and that of its peer group are mutually independent.
Examples
# Specify the description information of peer group test as city1.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test description city1
Format
peer { group-name | peer-address } ebgp-max-hop [ hop-value ] undo peer { group-name | peer-address } ebgp-max-hop
Parameters
group-name: specifies the name of peer group.
2-304 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
peer-address: specifies the IP address of the peer. hop-value: specifies the maximum hop value, in the range of 1 to 255. By default, the value is 64.
Views
BGP view
Default Level
2: Configuration level
Usage Guidelines
By default, the local device is only allowed to establish connection with directly connected EBGP peers.
Examples
# Establish EBGP connection with the peer group "test" on the indirectly connected network.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test external [Eudemon-bgp] peer test ebgp-max-hop
Format
peer { group-name | peer-address } enable undo peer { group-name | peer-address } enable
Parameters
group-name: specifies the name of the peer group. peer-address: specifies the IP address of the peer, in dotted decimal format.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, L2VPN address family view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-305
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, BGP peer/peer group is enabled in unicast address family, but disabled in VPN and MBGP address families. If the specified peer/peer group is disabled, the device will not exchange routing information with the specified peer/peer group. By default, the peer/peer group in IPv4 unicast is enabled. The undo command is used to disable them. When a connection is used in both unicast and multicast, you can configure to disable unicast peer to delete unicast connection only.
NOTE
l l
The peer peer-address enable command can only be configured in unicst address family. To remove the unicast capability of the peer, execute the undo command. To remove the multicast or VPNv4 capability of the peer, delete the peer from the group in corresponding address family.
Examples
# Disable the peer 18.10.0.9, which makes the local device exchange no BGP routing information with 18.10.0.9.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer 18.10.0.9 group test [Eudemon-bgp] undo peer 18.10.0.9 enable
Format
peer group-name filter-policy acl-number export undo peer group-name filter-policy acl-number export
Parameters
group-name: specifies the name of peer group. acl-number: specifies the IP ACL number, in the range of 2000 to3999. It indicates basic ACL or advanced ACL.
2-306 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
export: indicates to apply the filtering policy to advertised routes. This parameter is valid for peer groups only.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, no ACL-based filtering policy is configured. The peer filter-policy export command can only be configured for peer group.
Examples
# Configure peer group testto apply ACL 2003 to advertised routes.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test filter-policy 2003 export
Format
peer { group-name | peer-addess } filter-policy acl-number import undo peer { group-name | peer-addess } filter-policy acl-number import
Parameters
group-name: specifies the name of peer group. peer-address: specifies the IP address of the peer, in dotted decimal format. acl-number: specifies the IP ACL number, in the range of 2000 to 3999. It indicates basic ACL or advanced ACL.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-307
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, ACL-based filtering policy is not configured. The preference of inbound filtering policy of the peer is higher than that of the peer group.
Examples
# Configure peer group test to apply ACL 2003 to received routes.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test filter-policy 2003 import
Format
peer peer-address group group-name [ as-number as-number ] undo peer peer-address
Parameters
group-name: specifies the name of peer group. peer-address: specifies the IP address of the peer, in dotted decimal format. as-number: specifies AS number for the peer, in the range of 1 to 65535. It is only valid in BGP view and VPN-instance view.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
In BGP view and VPN-instance view, when adding a peer to an external peer group without specified AS number, you should specify the peer AS number at the same time. While it is
2-308 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
unnecessary when adding the peer to an internal peer group or an external peer group with specified AS number. In multicast sub-address family view and VPNv4 address family view, it is required that the peer to be added should exist and has been added to a peer group in BGP view. In different address family views, a peer can be added to different peer groups and a peer group can have different members.
Examples
# Add the peer with IP address being 10.1.1.1 to peer group test. In the example, the type of peer group defaults to IBGP peer, so it is unnecessary to specify AS number when adding members to the group.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer 10.1.1.1 group test
Format
peer group-name ip-prefix prefixname export undo peer group-name ip-prefix prefixname export
Parameters
group-name: specifies the name of peer group. prefixname: specifies the name of the specified ip-prefix, in character string ranging from 1 to 19.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, the route filtering policy of the peer group is not specified. The peer ip-prefix export command can only be configured for the peer group.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-309
2 Internetworking
Examples
# Configure peer group test to apply IP prefix list1 to advertised routes.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] peer test [Eudemon-bgp] peer test ip-prefix list1 export
Format
peer { group-name | peer-addess } ip-prefix prefixname import undo peer { group-name | peer-addess } ip-prefix prefixname import
Parameters
group-name: specifies the name of peer group. peer-address: specifies the IP address of the peer, in dotted decimal format. prefixname: specifies the name of prefix list, in character string ranging from 1 to 19.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, route filtering policy based on IP prefix list is not applied. The priority configured for the policies of the peer is higher than the that configured for the policies of the peer group.
Examples
# Configure peer group test to apply IP prefix list list1 to received routes.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test ip-prefix list1 import
2-310
Issue 03 (2009-06-18)
2 Internetworking
Format
peer { group-name | peer-address } listen-only undo peer { group-name | peer-address } listen-only
Parameters
group-name: specifies the name of a peer group. peer-address: specifies the IP address of a peer in dotted decimal notation.
Views
BGP view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Configure the peer group test to be in the listen-only state.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test listen-only
Format
peer group-name next-hop-local
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-311
2 Internetworking
Parameters
group-name: specifies the name of peer group.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
When BGP advertises routes to the EBGP peer, it specifies the local address as the next hop. When BGP advertises routes to the IBGP peer, it does not change the next hop by default.
Examples
# When BGP advertises the route to peer group "test", it will take its own address as the next hop.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test next-hop-local
Format
peer { group-name | peer-address } password { cipher | simple } password undo peer { group-name | peer-address } password
Parameters
group-name: specifies the name of peer group. peer-address: specifies the IP address of the peer, in dotted decimal format. cipher: displays the configured password in cipher text mode. simple: displays the configured password in simple text mode.
2-312 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
password: indicates the password in character string form. When parameter simple is configured or when parameter cipher is configured but the password is input in simple text mode, the password length should be 1 to 16 characters. When parameter cipher is configured and the password is input in cipher text, the password length must be 24 characters.
Views
BGP view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, BGP does not perform MD5 authentication when TCP connection is set up. Once MD5 authentication is enabled, both parties involved in the authentication must be configured with identical authentication modes and passwords. Otherwise, TCP connection will not be set up because of the failed authentication. This command is used to configure MD5 authentication for the specific peer only when the peer group to which the peer belongs is not configured with MD5 authentication. Otherwise, the peer should be consistent with the peer group.
Examples
# Adopt MD5 authentication on the TCP connection set up between the local device at 10.1.100.1 and the peer device at 10.1.100.2. The authentication mode is "simple" and password is "test".
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] peer 10.1.100.2 password simple test
Format
peer group-name public-as-only undo peer group-name public-as-only
Parameters
group-name: specifies the name of peer group.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-313
2 Internetworking
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, private AS number is carried when transmitting BGP update packets. The peer public-as-only command is only valid to the BGP peer group.
Examples
# Configure not to carry private AS number when transmitting BGP update packets to the peer group test.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test external [Eudemon-bgp] peer test public-as-only
Format
peer group-name reflect-client undo peer group-name reflect-client
Parameters
group-name: specifies the name of peer group.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, no route reflector is in AS.
2-314 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Configure peer group "test" as the route reflector client.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test reflect-client
Format
peer group-name route-policy policy-name export undo peer group-name route-policy policy-name export
Parameters
group-name: specifies the name of peer group. policy-name: specifies the name of route-policy.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, no route-policy is configured. The peer route-policy export command is only valid to the peer group.
Examples
# Configure peer group test to apply route-policy test-policyto outbound routes.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test route-policy test-policy export
Issue 03 (2009-06-18)
2-315
2 Internetworking
Format
peer { group-name | peer-address } route-policy policy-name import undo peer { group-name | peer-address } route-policy policy-name import
Parameters
group-name: specifies the name of peer group. peer-address: specifies the IP address of the peer, in dotted decimal format. policy-name: specifies the name of route-policy.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, no route-policy is configured. The preference of inbound route policy of the peer is higher than that of the peer group.
Examples
# Configure peer group test to apply route policy test-policy to inbound routes.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test route-policy test-policy import
2 Internetworking
Format
peer group-name route-update-interval interval undo peer group-name route-update-interval
Parameters
group-name: specifies the name of peer group. interval: specifies the interval of Update message sending in seconds, ranging from 0 to 600.
Views
BGP view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, the intervals are as follows:
l l
The interval for IBGP peer groups to send Update messages is 5 seconds. The interval for EBGP peer groups to send Update messages is 30 seconds.
Examples
# Set the minimum interval of Update messages sent by BGP peer group test to 10 seconds.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test route-update-interval 10
Format
peer { group-name | peer-address } timer keepalive keepalive-interval hold holdtime-interval undo peer { group-name | peer-address } timer
Parameters
group-name: specifies the name of peer group. peer-address: specifies the IP address of the peer, in dotted decimal format.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-317
2 Internetworking
keepalive-interval: specifies the interval for sending Keepalive messages in seconds, ranging from 1 to 65535. By default, its value is 60 seconds. holdtime-interval: specifies the Holdtime interval in seconds, ranging from 3 to 65535. By default, its value is 180 seconds.
Views
BGP view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
CAUTION
If the value of a timer changes, the BGP peer relationship among devices is disconnected as the peers need to re-negotiate the value of keepalive-time and hold-time. The action should, therefore, be confirmed before using the command. The timer configured by using peer timer command has a higher priority than the one configured by using the timer command. It should be noted that Holdtime timer shall be set as 3 times as Keepalive interval at least.
Examples
# Configure Keepalive and Holdtime intervals of peer group "test".
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] peer test timer keepalive 100 hold 300
Format
preference ebgp-value ibgp-value local-value undo preference
2-318 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
ebgp-value: specifies the EBGP route preference, in the range of 1 to 256. By default, the value is 256. ibgp-value: specifies the IBGP route preference, in the range of 1 to 256. By default, the value is 256. local-value: specifies the preference of locally generated routes, in the range of 1 to 256. By default, the value is 130.
Views
BGP view, multicast sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
Different types of routes in BGP can be configured with different preferences.
Examples
# Set the preferences of EBGP, IBGP and locally generated routes to 170.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] preference 170 170 170
Format
reflect between-clients undo reflect between-clients
Parameters
None
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-319
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
By default, the reflection between clients is enabled. After route reflector is configured, it reflects the routes of a client to other clients.
Examples
# Disable the reflection between clients.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] undo reflect between-clients
Format
reflector cluster-id { cluster-id | cluster-address } undo reflector cluster-id
Parameters
cluster-id: specifies the cluster ID of the route reflector in integer format, in the range of 1 to 4294967295. cluster-address: specifies the cluster ID of the route reflector in IP address format.
Views
BGP view, multicast sub-address family view, VPNv4 sub-address family view
Default Level
2: Configuration level
Usage Guidelines
By default, each route reflector uses its Router ID as the cluster ID. Usually, there is only one route reflector in a cluster. The cluster is identified by the router ID of the reflector. You can configure multiple route reflectors to improve the stability of the network. If a cluster is configured multiple route reflectors, you can use this command to configure identical cluster ID for all the reflectors.
2-320 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Set cluster ID for local router to identify the cluster.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] group test [Eudemon-bgp] reflector cluster-id 80 [Eudemon-bgp] peer test reflect-client
Format
refresh bgp { all | peer-address | group group-name } [ multicast | vpn-instance vpn-instancename | vpnv4 | l2vpn ] { import | export }
Parameters
all: indicates to refresh all the peers. peer-address: indicates to refresh the peer with specified address. group-name: indicates to refresh all entities in specified peer group. multicast: refreshes routes in multicast sub-address family for the peer. vpn-instance vpn-instance-name: indicates to refresh VPN routes for the peer in the specified VPN-instance. vpnv4: indicates to refresh routes in VPNv4 sub-address family for the peer. l2vpn: refreshes routes in L2VPN address family for the peer. import: indicates to send ROUTE-REFRESH packet to the peer to require retransmission of all the routes. export: indicates to retransmit all the routes to the peer.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
After BGP connection is established, only incremental routes are transmitted. But in some cases, for example, when routing policy is changed, retransmission of routes is required on both ends. And the routes should be filtered again according to the new policy.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-321
2 Internetworking
Examples
# Require all the peers to retransmit VPNv4 routes.
<Eudemon> refresh bgp all vpnv4 import
Format
reset bgp { all | peer-address } [ vpn-instance vpn-instance-name ]
Parameters
all: indicates to reset all BGP connections. peer-address: indicates to reset connection with a specified BGP peer. vpn-instance-name: specifies the name of specified VPN-instance. It is a string in the range of 1 character to 19 characters.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
After changing the BGP policy or protocol configuration, resetting BGP connection can make the newly configured policy take effect immediately.
Examples
# Reset all the BGP connections to enable the new configuration (after configuring the new Keepalive interval and Holdtime interval using the timer command).
<Eudemon> reset bgp all
2 Internetworking
Format
reset bgp dampening [ ip-address [ mask ] ]
Parameters
ip-address: specifies the IP address related to clearing the information about route flap dampening. mask: specifies the network mask.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Clear the dampening information about routes to network 20.1.0.0 and unsuppress the suppressed routes.
<Eudemon> reset bgp dampening 20.1.0.0 255.255.0.0
Format
reset bgp flap-info [ regular-expression as-regular-expression | as-path-acl as-path-aclnumber | ip-address [ mask ] ] reset bgp ip-address [ flap-info ]
Parameters
regular-expression as-regular-expression: indicates to clear the flap information matching the AS path regular expression. as-path-acl as-path-acl-number: indicates to clear the flap information matching a specified filter list. The range of the parameter as-path-acl-number is 1 to 199. ip-address: indicates to clear the flap information of a record at this IP address. If this parameter is put before flap-info, the device clears the flap information of all the routes from this address. mask: specifies the network mask.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-323
2 Internetworking
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Clear the flap information of all the routes matching filter list 100.
<Eudemon> reset bgp flap-info as-path-acl 100
Format
reset bgp group group-name [vpn-instance vpn-instance-name ]
Parameters
group-name: specifies the name of peer group, in characters ranging from 1 to 47. vpn-instance-name: specifies the name of specified VPN-instance. It is a string in the range of 1 character to 19 characters.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Reset BGP connections of all members of peer group "test".
<Eudemon> reset bgp group test
2-324
Issue 03 (2009-06-18)
2 Internetworking
Format
summary automatic undo summary automatic
Parameters
None
Views
BGP view, multicast sub-address family view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
By default, no automatic summary of sub-network routes is executed. After the summary automatic is configured, BGP cannot advertise the sub-network routes imported from the IGP, so the amount of the routing information can be reduced.
Examples
# Enable the automatic summary of the sub-network routes.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] summary automatic
Format
timer keepalive keepalive-interval hold holdtime-interval
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-325
2 Internetworking
undo timer
Parameters
keepalive-interval: specifies the interval for sending Keepalive messages in seconds, ranging from 1 to 65535. By default, its value is 60 seconds. holdtime-interval: specifies the Holdtime interval of BGP in seconds, ranging from 3 to 65535. By default, its value is 180 seconds.
Views
BGP view, VPN-instance view
Default Level
2: Configuration level
Usage Guidelines
CAUTION
If the value of a timer changes, the BGP peer relationship among devices is disconnected. This is because the peers need to re-negotiate the value of keepalive-time and hold-time. Confirm the action before using the command. It should be noted that Holdtime timer shall be set as 3 times as Keepalive interval at least.
Examples
# Set the Keepalive interval and Holdtime timer of BGP to 30 seconds and 90 seconds.
<Eudemon> system-view [Eudemon] bgp 1 [Eudemon-bgp] timer keepalive 30 hold 90
2 Internetworking
Format
traffic classifier classifier-name undo traffic classifier classifier-name
Parameters
classifier-name: specifies the name of the defined class. It is a case-sensitive string of 1 to 31 characters without blank space.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
classifier-name shall not be that of the classes pre-defined by the system.
Examples
# Define a class named as class1.
<Eudemon> system-view [Eudemon] traffic classifier class1 [Eudemon-classifier-class1]
Format
if-match acl acl-number
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-327
2 Internetworking
Parameters
acl-number: specifies an ACL number in a range of 2000 to 3999. Where:
l l
The ACL numbered from 2000 to 2999 is the basic ACL. The ACL numbered from 3000 to 3999 is the advanced ACL.
Views
Traffic classifier view
Default Level
2: Configuration level
Usage Guidelines
Define ACLs before configuring traffic classification rules based on ACLs.
Examples
# Define a class to match ACL 3101.
<Eudemon> system-view [Eudemon] traffic classifier class1 [Eudemon-classifier-class1] if-match acl 3101
Format
traffic behavior behavior-name undo traffic behavior behavior-name
Parameters
behavior-name: refers to the behavior name. It is a case-sensitive string of 1 to 31 characters without blank space.
Views
System view
2-328 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Default Level
2: Configuration level
Usage Guidelines
behavior-name shall not be that of the traffic behavior pre-defined by the system.
Examples
# Define a traffic behavior named behavior1.
<Eudemon> system-view [Eudemon] traffic behavior behavior1 [Eudemon-behavior-behavior1]
Format
remark ip-nexthop nexthop-ip-address output-interface { interface-type interface-number } undo remark ip-nexthop
Parameters
nexthop-ip-address: specifies the IP address of the next hop; it is in X.X.X.X format. interface-type: specifies the interface type. interface-number: specifies the interface number.
Views
Behavior view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the next hop address of a behavior to be 100.1.1.1 on GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] traffic behavior redir1
Issue 03 (2009-06-18)
2-329
2 Internetworking
Format
qos policy policy-name undo qos policy policy-name
Parameters
policy-name: specifies the name of a policy. It is a case-sensitive string of 1 to 31 characters without blank space.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The policy cannot be deleted if it is applied on a security zone. It is necessary to remove the policy on the current security zone before deleting it. policy-name should not be that of the policies defined by the system.
Examples
# Define a policy named as test.
<Eudemon> system-view [Eudemon] qos policy test [Eudemon-qospolicy-test]
2 Internetworking
Format
classifier classifier-name behavior behavior-name undo classifier classifier-name
Parameters
classifier-name: It must be the name of the defined class, the system-defined or user-defined class. behavior-name: It must be the name of the defined behavior, the system-defined or user-defined behavior.
Views
QoS policy view
Default Level
2: Configuration level
Usage Guidelines
Each class in the policy can only be associated with one behavior. The undo command is not used for the default class.
Examples
# Specify the behavior test for the class database in the policy policy1.
<Eudemon> system-view [Eudemon] qos policy policy1 [Eudemon-qospolicy-policy1] classifier database behavior test
Format
qos apply policy policy-name { inbound | outbound } undo qos apply policy { inbound | outbound }
Parameters
policy-name: specifies the name of a policy. It is a case-sensitive string of 1 to 31 characters without blank space. outbound: refers to the outbound direction.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-331
2 Internetworking
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Apply the policy default in the outbound direction of Trust security zone.
<Eudemon> system-view [Eudemon] firewall zone trust [Eudemon-zone-trust] qos apply policy default outbound
Format
display qos policy user-defined [ policy-name [ classifier classifier-name ] ]
Parameters
user-defined: indicates the policy defined by the user. policy-name: specifies the policy name. If it is not specified, the configuration information of all the policies pre-defined by the user is displayed. classifier-name: specifies the class name in the policy.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
classifier-name shall not be that of the classes pre-defined by the system.
2-332 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Examples
# Display the information about the car policy and class defined by the user.
<Eudemon> display qos policy user-defined car classifier class User Defined QoS Policy Information: Classifier: class Behavior: behavior Committed Access Rate: CIR 1000000 (bps), CBS 500000 (bit), EBS 0 (bit) Conform Action: pass Exceed Action: discard
Format
display traffic behavior user-defined [ behavior-name ]
Parameters
user-defined: refers to the policy pre-defined by the user. behavior-name: specifies the behavior name. The name is a string of 1 to 31 characters. If it is not specified, the configuration of all the behaviors pre-defined by the user is displayed.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the user-defined behavior behavior1 on the device.
<Eudemon> display traffic behavior user-defined behavior1 User Defined Behavior Information: Behavior: behavior1 Marking: ip-nexthop 1.1.1.1 out-interface GigabitEthernet0/0/0
2 Internetworking
Function
Using the display traffic classifier command, you can view the class configured on the Eudemon.
Format
display traffic classifier user-defined [ classifier-name ]
Parameters
user-defined: refers to the class pre-defined by the user. classifier-name: specifies the class name. The name is a string of 1 to 31 characters. If it is not specified, all classes pre-defined by the user is displayed.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the user-defined class class1 configured on the Eudemon.
<Eudemon> display traffic classifier user-defined class1 User Defined Classifier Information: Classifier: class1 Operator: AND Rule(s) : if-match acl 3000
2 Internetworking
2.17.8 if-match acl (Traffic Classifier View) 2.17.9 qos apply policy 2.17.10 qos policy 2.17.11 traffic behavior 2.17.12 traffic classifier
2.17.1 car
Function
Using the car command, you can configure traffic monitoring for a behavior. Using the undo car command, you can delete the configuration.
Format
car cir committed-information-rate undo car
Parameters
cir: indicates committed information rate. committed-information-rate: indicates committed information rate of traffic in the range of 100,000 bit/s to 1,000,000,000 bit/s.
Views
Traffic behavior view
Default Level
2: Configuration level
Usage Guidelines
When the QoS policy applied in the security zone uses the CAR, the CAR can be applied in the inbound or outbound direction of the security zone. If the zone-based CARs are configured in the inbound and outbound directions of a zone (and the two directions can use the same ACL), the CARs in the two directions are valid.
Examples
# Use traffic monitor for a behavior. The normal traffic of packets is 384000 bit/s.
<Eudemon> system-view [Eudemon] traffic behavior database [Eudemon-behavior-database] car cir 384000
Issue 03 (2009-06-18)
2-335
2 Internetworking
Format
classifier classifier-name behavior behavior-name undo classifier classifier-name
Parameters
classifier-name: It must be the name of the defined class, the system-defined or user-defined class. behavior-name: It must be the name of the defined behavior, the system-defined or user-defined behavior.
Views
QoS policy view
Default Level
2: Configuration level
Usage Guidelines
Each class in the policy can only be associated with one behavior. The undo command is not used for the default class.
Examples
# Specify the behavior test for the class database in the policy policy1.
<Eudemon> system-view [Eudemon] qos policy policy1 [Eudemon-qospolicy-policy1] classifier database behavior test
Format
display qos policy user-defined [ policy-name [ classifier classifier-name ] ]
2-336 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2 Internetworking
Parameters
user-defined: indicates the policy defined by the user. policy-name: specifies the policy name. If it is not specified, the configuration information of all the policies pre-defined by the user is displayed. classifier-name: specifies the class name in the policy.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
classifier-name shall not be that of the classes pre-defined by the system.
Examples
# Display the information about the car policy and class defined by the user.
<Eudemon> display qos policy user-defined car classifier class User Defined QoS Policy Information: Classifier: class Behavior: behavior Committed Access Rate: CIR 1000000 (bps), CBS 500000 (bit), EBS 0 (bit) Conform Action: pass Exceed Action: discard
Format
display traffic behavior user-defined [ behavior-name ]
Parameters
user-defined: refers to the policy pre-defined by the user. behavior-name: specifies the behavior name. The name is a string of 1 to 31 characters. If it is not specified, the configuration of all the behaviors pre-defined by the user is displayed.
Views
All views
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-337
2 Internetworking
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the user-defined behavior on the device.
<Eudemon> display traffic behavior user-defined
Format
display traffic classifier user-defined [ classifier-name ]
Parameters
user-defined: refers to the class pre-defined by the user. classifier-name: specifies the class name. The name is a string of 1 to 31 characters. If it is not specified, all classes pre-defined by the user is displayed.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the user-defined class class1 configured on the Eudemon.
<Eudemon> display traffic classifier user-defined class1 User Defined Classifier Information: Classifier: class1 Operator: AND Rule(s) : if-match acl 3000
2 Internetworking
Format
firewall car-class class-number bandwidth undo firewall car-class class-number
Parameters
class-number: specifies the number of bandwidth class, in the range of 1 to 7. bandwidth: specifies the upper limit of the bandwidth for the bandwidth limit class. It ranges from 50,000 to 100,000,000 bit/s. By default, the bandwidth thresholds of each class are all 100,000,000 bit/s. If the bandwidth threshold is set to 100,000,000 bit/s, the traffic is not restricted.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the bandwidth threshold of class 1 to 50,000 bit/s.
<Eudemon> system-view [Eudemon] firewall car-class 1 50000
2 Internetworking
Format
firewall conn-class class-number number undo firewall conn-class class-number
Parameters
class-number: specifies the number of connection class, in the range of 1 to 7. number: specifies the upper limit of the connection number for the connection limit class. It ranges from 1 to 65535. The default connection number threshold of each class is 65535.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the connection number threshold of class 1 to 10000.
<Eudemon> system-view [Eudemon] firewall conn-class 1 10000
Format
if-match acl acl-number undo if-match acl acl-number
Parameters
acl-number: specifies an ACL number in a range of 2000 to 3999. Where:
l l
The ACL numbered from 2000 to 2999 is the basic ACL. The ACL numbered from 3000 to 3999 is the advanced ACL.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
2-340
2 Internetworking
Views
Traffic classifier view
Default Level
2: Configuration level
Usage Guidelines
Define ACLs before configuring traffic classification rules based on ACLs.
Examples
# Define a class to match ACL 3101.
<Eudemon> system-view [Eudemon] traffic classifier class1 [Eudemon-classifier-class1] if-match acl 3101
Format
qos apply policy policy-name { inbound | outbound } undo qos apply policy { inbound | outbound }
Parameters
policy-name: specifies the name of a policy. It is a case-sensitive string of 1 to 31 characters without blank space. inbound: refers to the inbound direction. outbound: refers to the outbound direction.
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-341
2 Internetworking
Examples
# Apply the policy default in the outbound direction of Trust security zone.
<Eudemon> system-view [Eudemon] firewall zone trust [Eudemon-zone-trust] qos apply policy default outbound
Format
qos policy policy-name undo qos policy policy-name
Parameters
policy-name: specifies the name of a policy. It is a case-sensitive string of 1 to 31 characters without blank space.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The policy cannot be deleted if it is applied on a security zone. It is necessary to remove the policy on the current security zone before deleting it. policy-name should not be that of the policies defined by the system.
Examples
# Define a policy named as test.
<Eudemon> system-view [Eudemon] qos policy test [Eudemon-qospolicy-test]
2 Internetworking
Using the undo traffic behavior command, you can delete a traffic behavior.
Format
traffic behavior behavior-name undo traffic behavior behavior-name
Parameters
behavior-name: refers to the behavior name. It is a case-sensitive string of 1 to 31 characters without blank space.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
behavior-name shall not be that of the traffic behavior pre-defined by the system.
Examples
# Define a traffic behavior named behavior1.
<Eudemon> system-view [Eudemon] traffic behavior behavior1 [Eudemon-behavior-behavior1]
Format
traffic classifier classifier-name undo traffic classifier classifier-name
Parameters
classifier-name: specifies the name of the defined class. It is a case-sensitive string of 1 to 31 characters without blank space.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-343
2 Internetworking
Views
System view
Default Level
2: Configuration level
Usage Guidelines
classifier-name shall not be that of the classes pre-defined by the system.
Examples
# Define a class named as class1.
<Eudemon> system-view [Eudemon] traffic classifier class1 [Eudemon-classifier-class1]
2-344
Issue 03 (2009-06-18)
3 Security Defense
3
About This Chapter
3.1 VPN-instance Configuration Commands 3.2 ACL Configuration Commands 3.3 Security Zone Configuration Commands 3.4 Session Configuration Commands 3.5 Packet Filter Configuration Commands
Security Defense
3.6 Attack Defense and Packet Statistics Configuration Commands 3.7 ASPF Configuration Commands 3.8 Blacklist Configuration Commands 3.9 MAC and IP Address binding Configuration Commands 3.10 Port Mapping Configuration Commands 3.11 NAT Configuration Commands 3.12 Static Multicast Configuration Commands 3.13 Content Filtering Configuration Commands 3.14 GTP Configuration Commands 3.15 IDS Cooperation Configuration Commands 3.16 AAA Configuration Commands 3.17 RADIUS Server Configuration Commands 3.18 HWTACACS Server Configuration Commands 3.19 Domain Configuration Commands 3.20 Local User Configuration Commands
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-1
3 Security Defense
3.21 L2TP Configuration Commands 3.22 GRE Configuration Commands 3.23 IPSec Configuration Commands 3.24 P2P Traffic Limiting Configuration Commands 3.25 Secospace Cooperation Configuration Commands
3-2
Issue 03 (2009-06-18)
3 Security Defense
Format
display ip vpn-instance [ verbose ] [ vpn-instance-name ]
Parameters
vpn-instance-name: specifies the name of the VPN instance. It is a string of 1 to 19 case insensitive characters. verbose: displays the VPN instance in detail. If the keyword is not specified, the system displays only the virtual firewall in brief.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display detailed configurations of VPN instance v1.
<Eudemon> display ip vpn-instance verbose v1 VPN-Instance : vpn vpn-id : 11 Description : vpn1 Route-Distinguisher :
Issue 03 (2009-06-18)
3-3
3 Security Defense
100:3 Interfaces : GigabitEthernet0/0/3 No Export-ext-communities No Import-ext-communities
Table 3-1 shows the description of the display ip vpn-instance verbose command output. Table 3-1 Description of the display ip vpn-instance verbose command output Item VPN-Instance vpn-id Description Route-Distinguisher Interfaces Description Name of the VPN instance. ID of the VPN instance. Description of VPN instance. Router distinguisher of VPN instance. Interface belongs to VPN instance.
3.1.2 ip vpn-instance
Function
Using the ip vpn-instance command, you can create a VPN instance and enter the VPN instance view. Using the undo ip vpn-instance command, you can delete a specified VPN instance.
Format
ip vpn-instance vpn-instance-name [ vpn-id vpn-id ] undo ip vpn-instance vpn-instance-name
Parameters
vpn-instance-name: specifies the name of the VPN instance. It is a string of 1 to 19 case insensitive characters. vpn-id: specifies a VPN instance number in the range of 1 to 99.
Views
System view
Default Level
2: Configuration level
3-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
A vpn instance can be deleted only by the superuser. Virtual firewall users cannot delete the vpn instance. "public" is another name of VPN0. When creating vpn instances, you should avoid using the name public.
Examples
# Create VPN instance v1 and enter the VPN instance view.
<Eudemon> system-view [Eudemon] ip vpn-instance v1 [Eudemon-vpn-v1]
3.1.3 route-distinguisher
Function
Using the route-distinguisher command, you can configure the route distinguisher (RD) for a VPN instance.
Format
route-distinguisher vpn-route-distinguisher
Parameters
vpn-route-distinguisher: specifies the RD. The formats of RD are divided into the following two types: asn:nn and ip-address:nn.
Views
VPN instance view
Default Level
2: Configuration level
Usage Guidelines
route-distinguisher (RD) is used to distinguish the IP prefixes that share the same address space. Through RD, you cannot judge the initiator of some route or determine which VPN instance that some route belongs to. Service providers can assign the RD independently, but they must ensure that the RD is globally unique. In this way, even if the VPNs from different service providers share the same IP address space, the firewall can still release different routes to each VPN. A VPN instance does not come into effect until an RD is configured. Once an RD is configured, you cannot modify it. You can only delete the VPN instance and reconfigure an RD. The formats of RD are divided into the following two types:
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-5
3 Security Defense
l
16-bit AS number (ASN):32-bit user-defined number For example, 101:3. An AS number ranges from 0 to 65535. A user-defined number ranges from 0 to 4294967295. The AS number and the user-defined number cannot be 0s at the same time. That is, an RD cannot be 0:0.
32-bit IP address:16-bit user-defined number For example, 192.168.122.15:1. An IP address ranges from 0.0.0.0 to 255.255.255.255. A user-defined number ranges from 0 to 65535.
Examples
# Configure the RD 111:1 for the VPN instance named v1.
<Eudemon> system-view [Eudemon] ip vpn-instance v1 vpn-id 1 [Eudemon-vpn-v1] route-distinguisher 111:1
Format
routing-table limit max-counter { threshold-value | simply-alert } undo routing-table limit
Parameters
max-counter: specifies the maximum number of routes allowed in virtual firewalls. The value ranges from 1 to 4294967295. threshold-value: specifies the threshold precentage of the generation of alarm information. The value ranges from 1 to 100. simply-alert: specifies the output system logs when the value exceeds the maximum number of routes allowed in virtual firewalls.
Views
VPN instance view
Default Level
2: Configuration level
Usage Guidelines
By default, Eudemon does not restrict the number of routes in virtual firewalls.
3-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Restrict the number of routes in virtual firewalls.
<Eudemon> system-view [Eudemon] ip vpn-instance v1 vpn-id 1 [Eudemon-vpn-v1] route-distinguisher 111:1 [Eudemon] routing-table limit 1000 simply-alert
Format
acl accelerate enable undo acl accelerate enable
Parameters
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-7
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the function is disabled.
Examples
# Enable the ACL accelerated searching.
<Eudemon> system-view [Eudemon] acl accelerate enable
Format
acl [ number ] acl-number [ vpn-instance vpn-instance-name ] [ match-order { config | auto } ] undo acl { [ number ] acl-number | all }
Parameters
number acl-number: specifies the number of an Access Control List (ACL). It is an integer in the following range:
l l
The ACL numbered from 2000 to 2999 is the basic ACL. The ACL numbered from 3000 to 3999 is the advanced ACL.
vpn-instance vpn-instance-name: specifies the ACL of a VPN instance. vpn-instance-name indicates the name of the VPN instance. The value is a string of 1 to 19 characters. match-order: specifies the match order. config: filters packets against rules in the order in which they are configured. auto: filters packets against rules in the system default order (based on "Depth-first" principle). all: refers to all the ACLs.
Views
System view
3-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
An ACL contains a series of rules, which are composed of permit or deny statements. You should create an ACL before defining ACL rules. To create an access control entry, you need specify the match order, which is an optional parameter. By default, the match order is config.
Examples
# Create an ACL numbered 2010.
<Eudemon> system-view [Eudemon] acl number 2010 [Eudemon-acl-basic-2010]
3.2.3 address
Function
Using the address command, you can set the address elements in the address set. Using the undo address command, you can delete the specified address elements in the address set.
Format
address [ address-id ] ip-address wildcard [ description ] undo address address-id
Parameters
address-id: specifies the code of the address element; it is an integer that ranges from 0 to 1023. ip-address: specifies the IP address in dotted decimal. wildcard: specifies the address wildcard in dotted decimal. 0 and 0.0.0.0 indicates the host. description: describes the elements in the address set. It is a string of 1 to 31 characters.
Views
Address set view
Default Level
2: Configuration level
Usage Guidelines
When you configure the address command, if the codes are specified:
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-9
3 Security Defense
l
When the address elements correspond to the codes already exist, the Eudemon returns the error information if there is no description information on address elements; the new description information covers the old description information if the description information on address elements is available. When no address element corresponds to the codes, a new address element is created by using the specified code.
If no code is specified, an address element is added. The system automatically allocates a code for the address element. Up to 1024 address elements can be set for one address set. The address elements in one address set cannot be the same.
Examples
# Set the address elements in the address set abc.
<Eudemon> system-view [Eudemon] ip address-set abc [Eudemon-address-set-abc] address 1 1.1.1.0 0.0.0.255 [Eudemon-address-set-abc] address 2 2.2.2.0 0.0.0.255
3.2.4 description
Function
Using the description command, you can add the description information of an ACL rule, port set, and address set. Using the undo description command, you can delete the description information of an ACL rule, port set, and address set.
Format
description text undo description
Parameters
text: indicates the description information of an ACL rule, port set, and address set. The value is a string of 1 to 127 characters.
Views
ACL rule view, port set view, and address set view
Default Level
2: Configuration level
Usage Guidelines
When configuring an ACL rule, port set, and address set, add the related description information respectively, such as the name and the function, to facilitate later maintenance.
3-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Add the description information of ACL 2000.
<Eudemon> system-view [Eudemon]acl number 2000 [Eudemon-acl-basic-2000] description test
Format
display acl { all [ vpn-instance vpn-instance-name | public ] | acl-number1 | accelerate [ aclnumber2 ] }
Parameters
all: displays all the ACLs. vpn-instance-name: displays all ACL rules of the VPN instance. public: displays the ACL rules of VPN0. acl-number1: defines a number-based ACL in a range of 2000 to 2999, 3000 to 3999. Where:
l l
The ACL numbered from 2000 to 2999 is the basic ACL. The ACL numbered from 3000 to 3999 is the advanced ACL.
accelerate: displays the running of accelerated ACL searching. acl-number2: specifies an ACL number in a range of 2000 to 3999.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
When viewing the ACL, the users with different rights can see different results. For example:
l
A superuser can view all the configured ACL rules and view the ACL rules belonging to the specified VPN instance. When running the display acl all command, a virtual user can view only the ACL rules of the VPN instance to which the virtual user belongs.
When the virtual user runs the display acl all command containing vpn-instance, the Eudemon displays the ACL rules of the specified VPN instance to which the virtual user belongs. Otherwise, the prompt "The ACL group is not binding with this VPN-Instance." is displayed.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-11
3 Security Defense
Examples
# Display the rules in ACL 2001.
<Eudemon> display acl 2001
Format
display ip address-set { verbose address-set-name { item | reference } | all [ public | vpninstance vpn-instance-name ] }
Parameters
verbose: displays the details of the specified address set. address-set-name: specifies the name of the address set. It is a string of 1 to 19 characters, starting with a letter from a to z or A to Z. item: displays the content of the elements in the address set. reference: displays the ACL rules that reference the specified address set. all: displays the information on all the address sets. public: displays the information on address sets not belonging to the VPN instance. vpn-instance-name: specifies the name of the VPN instance; it is a string of 1 character to 19 characters. You can configure this parameter to display the address sets of the specified VPN instance.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
3-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Display the information on all the address sets.
<Eudemon> display ip address-set all Address-set total number(s): 3 Address-set item total number(s): 50 Address-set reference total number(s): 7 Address-set : a Item number(s): 50 Reference number(s): 3 Address-set : abc Item number(s): 0 Reference number(s): 0 Address-set : abcd Item number(s): 0 Reference number(s): 4
Table 3-2 shows the description of the display ip address-set all command output. Table 3-2 Description of the display ip address-set all command output Item Address-set total number(s) Address-set item total number(s) Address-set reference total number(s) Address-set Item number(s) Reference number(s) Description Indicates the total number of address sets on the Eudemon. Indicates the total number of address elements on the Eudemon. Indicates the total attempts that the ACL references the address set on the Eudemon. Indicates the name of the address set. Indicates the total number of address elements in the address set. Indicates the number of ACL references of the address set.
# Display the ACL rule of the address set whose reference name is abcd on the Eudemon.
<Eudemon> display ip address-set verbose abcd reference Address-set : abcd Item number(s): 0 Reference number(s): 4 Reference(s): acl 2000 rule 0 acl 3000 rule 5
Issue 03 (2009-06-18)
3-13
3 Security Defense
acl 3000 rule 10 acl 3010 rule 0
Format
display ip port-set { verbose port-set-name { item | reference } | all [ public | vpn-instance vpn-instance-name ] }
Parameters
verbose: displays the details of the specified port set. port-set-name: specifies the name of the port set. It is a string of 1 character to 19 characters, starting with a letter from a to z or A to Z. item: displays the content of the specified port set. reference: displays the ACL rules that reference the specified port set. all: displays the details of all the port sets. public: displays all the port sets that do not belong to the VPN instance. vpn-instance-name: specifies the name of the VPN instance; it is a string of 1 character to 19 characters. You can use this parameter to display the port sets of the specified VPN instance.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the information on all the port sets.
<Eudemon> display ip port-set all Port-set total number(s): 3 Port-set item total number(s): 8 Port-set reference total number(s): 1 Port-set Name: a Protocol: tcp Item number(s): 2 Reference number(s): 1
3-14
Issue 03 (2009-06-18)
3 Security Defense
Port-set Name: b Protocol: udp Item number(s): 3 Reference number(s): 0 Port-set Name: c Protocol: tcp Item number(s): 3 Reference number(s): 0
Table 3-3 lists the description of the display ip port-set all command output. Table 3-3 Description of the display ip port-set all command output Item Port-set total number(s) Port-set item total number(s) Port-set reference total number(s) Port-set Name Protocol Item number(s) Reference number(s) Description Indicates the total number of port sets on the Eudemon. Indicates the total number of port elements on the Eudemon. Indicates the total attempts that the ACL references the port sets on the Eudemon. Indicates the name of the port set. Indicates that the protocol of the port set is TCP/UDP. Indicates the total number of port elements in the port set. Indicates the attempts that the ACL references the port set.
# Display the ACL rules referring the port set abcd on the Eudemon.
<Eudemon> display ip port-set verbose abcd reference Port-set Name: abcd Protocol: tcp Item number(s): 0 Reference number(s): 3 Reference(s): acl 3000 rule 5 acl 3000 rule 10 acl 3010 rule 0
3 Security Defense
Function
Using the display time-range command, you can view the current setting and the state (active or inactive) of the time range.
Format
display time-range { all | time-range-name }
Parameters
time-range-name: specifies the name of the time range. all: displays all the time ranges.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
It is normal that you find a time range is active while the ACL that it applies is inactive through the display time-range command. It is because that the system takes about 1 minute to update the ACL state while the display time-range command displays the current state of the ACL.
Examples
# Display all the time ranges.
<Eudemon> display time-range all Current time is 17:15:50 12-25-2008 Thursday Time-range : abc ( Inactive ) from 10:02 2008/12/13 to 24:00 2008/12/30
Table 3-4 shows the description of the display time-range all command output. Table 3-4 Description of the display time-range all command output Item Current time is 17:15:50 12-25-2008 Thursday Time-range : abc ( Inactive ) from 10:02 2008/12/13 to 24:00 2008/12/30 Description Current time Name and state of current time range Details of current time range
3-16
Issue 03 (2009-06-18)
3 Security Defense
3.2.9 ip address-set
Function
Using the ip address-set command, you can create an address set. Using the undo ip address-set command, you can delete a specified address set.
Format
ip address-set address-set-name [ vpn-instance vpn-instance-name ] undo ip address-set address-set-name [ vpn-instance vpn-instance-name ]
Parameters
address-set-name: specifies the name of the address set. It is a string of 1 to 19 characters, starting with a letter from a to z or from A to Z. vpn-instance-name: Indicates the name of a VPN instance. It is a string of 1 to 19 characters, starting with a letter from a to z or from A to Z.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the address set is not created. Configuring the ip address-set command without vpn-instance, you can create an address set for VPN 0. An address set containing vpn-instance can be bound to the ACL reference of the VPN instance only. The Eudemon can support up to 256 address sets. When an ACL is referenced by certain features, the ACL cannot be updated. In this case, the address set referenced by the ACL cannot be updated. When one address set is referenced by the ACL, the address set cannot be deleted. After all the address elements are deleted from the address set, the Eudemon still keeps the address set. At this time, you can run the undo ip address-set command to delete the empty address set.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-17
3 Security Defense
Examples
# Create an address set named abc.
<Eudemon> system-view [Eudemon] ip address-set abc
3.2.10 ip port-set
Function
Using the ip port-set command, you can create a port set. Using the undo ip port-set command, you can delete a specified port set.
Format
ip port-set port-set-name [ vpn-instance vpn-instance-name ] protocol { tcp | udp } undo ip port-set port-set-name [ vpn-instance vpn-instance-name ]
Parameters
port-set-name: specifies the name of the port set. It is a string of 1 character to 19 characters, starting with a letter from a to z or A to Z. tcp | udp: indicates the protocol type of the port set. It is TCP or UDP. vpn-instance-name: specifies the name of the VPN instance; it is a string of 1 character to 19 characters, starting with a letter from a to z or A to Z.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
If vpn-instance is not specified when the ip port-set command is run, the address set of VPN0 is created. The port set containing the vpn-instance parameter can only be bound to the ACL reference of the VPN instance. A protocol type needs to be specified when a port set is created. After the creation, you can access the port set view without specifying the protocol type. By default, the port set is not created. The Eudemon can support up to 256 port sets. When one port set is referenced by the ACL, the port set cannot be deleted.
3-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
After all the port elements are deleted from the port set, the Eudemon still keeps the port set. At this time, you can run the undo ip port-set command to delete the empty port set.
Examples
# Create the port set named p1 that uses the TCP.
<Eudemon> system-view [Eudemon] ip port-set p1 protocol tcp
3.2.11 port
Function
Using the port command, you can set the port element in the port set. Using the undo port command, you can delete the specified port elements in the port set.
Format
port [ port-id ] { eq | gt | lt } port-number1 port [ port-id ] range port-number1 port-number2 undo port port-id
Parameters
port-id: specifies the ID of the port element. In one port set, a port ID identifies only one port element; it is an integer in a range of 0 to 63. eq | gt | lt | range: indicates the name of port operator, which respectively indicates equal to, greater than, less than, and within a certain range. port-number1 port-number2: specifies the port name or number. When indicating the port name, in TCP, the parameter value can be: CHARgen, bgp, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ils, imap, irc, klogin, kshell, login, lpd, mms, nntp, pop2, pop3, pptp, rtsp, smtp, sqlnet, ssh, sunrpc, syslog, tacacs, talk, telnet, time, uucp, whois, and www. In UDP, the parameter value can be: biff, bootpc, bootps, discard, dns, dnsix, echo, gtpv0, gtpv1c, gtpv1u, h323, hwcc, mgcp, mobileip-ag, mobileipmn, nameserver, netbios-dgm, netbios-ns, netbios-ssn, ntp, rip , rpc, rtsp, sip, snmp, snmptrap, sunrpc, syslog, tacacs-ds, talk, tftp , time, who, xdmcp. When indicating the port number, it is an integer in a range of 0 to 65535.
Views
Port set view
Default Level
2: Configuration level
Usage Guidelines
When you running the port command, if the codes are specified:
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-19
3 Security Defense
l l
When the port elements correspond to the codes already exist, the Eudemon prompts errors. When no port element corresponds to the codes, you can create a new port element by using the specified code.
If no code is specified, a port element is added. The system automatically allocates a code for the port element. Up to 64 port elements can be set for one port set. The port elements in one port set cannot be the same.
Examples
# Create a port set named p1.
<Eudemon> system-view [Eudemon] ip port-set p1 protocol tcp [Eudemon-tcp-port-set-p1] port eq 45 [Eudemon-tcp-port-set-p1] port gt 450
3.2.12 rule
Function
Using the rule command in the ACL view, you can add a rule. Using the undo rule command, you can delete a rule.
Format
l
Add/Delete a rule to/from a basic ACL rule [ rule-id ] { permit | deny } [ source { source-address source-wildcard | addressset address-set-name | any } | time-range time-name | logging ] * undo rule rule-id [ source | time-range | logging ] *
Add/Delete a rule to/from an advanced ACL rule [ rule-id ] { permit | deny } protocol [ source { source-address source-wildcard | address-set address-set-name | any } | destination { destination-address destinationwildcard | address-set address-set-name | any } | source-port { operator port | range port1 port2 | port-set port-set-name } | destination-port { operator port | range port1 port2 | port-set port-set-name } | icmp-type { icmp-type icmp-code | icmp-message } | precedence precedence | tos tos | time-range time-name | logging ] * undo rule rule-id [ source | destination | source-port | destination-port | icmp-type | precedence | tos | time-range | logging ] *
Parameters
rule-id: specifies the ID of an ACL rule in a range of 0 to 4294967294. If the specified ID has been assigned to a rule, the new rule will be overlapped to the rule, which is equal to editing an existing rule. If the specified ID is not assigned to any rules, you can create a new rule with the ID. In the case of no ID is specified when you create a rule, the system will assign an ID to the rule automatically. deny: denies the matched packets. permit: permits the matched packets.
3-20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
protocol: specifies the type of name/number-based protocols over IP. The number in the numberbased protocols is from 1 to 255. The name-based protocol can be gre, icmp, igmp, ip, ipinip, ospf, tcp, or udp. source source-address source-wildcard: specifies the source addresses for the ACL rule, which is an optional parameter. Without the parameter, all packets match ACL rules. source-address refers to the source address of a data packet, in the format of dotted decimal. source-wildcard refers to the wildcard of the source address, in the format of dotted decimal. Inputting "any" means the source address is 0.0.0.0 and the wildcard is 255.255.255.255. address-set address-set-name: specifies an address set. destination destination-address destination-wildcard: specifies the destination addresses for the ACL rule, which is an optional parameter. Without the parameter, all packets match ACL rules. destination-address refers to the destination address of a data packet, in the format of dotted decimal. destination-wildcard refers to the wildcard of the destination address, in the format of dotted decimal. Inputting "any" means the destination address is 0.0.0.0 and the wildcard is 255.255.255.255. icmp-type { icmp-type icmp-code | icmp-message }: specifies the type of ICMP packets and message codes, which is valid only when packets apply ICMP. It is an optional parameter. Without the parameter, all ICMP packets match ACL rules. Where:
l
icmp-type Refers to ICMP packets are filtered on the basis of the type of ICMP messages, represented by number in a range of 0 to 255.
icmp-code Denotes the former packets can also be filtered on the basis of message codes, represented by number in a range of 0 to 255.
icmp-message Means ICMP packets can be filtered on the basis of the type name of the ICMP message.
source-port: specifies source port of UDP/TCP packets, which is valid only when TCP/UDP protocol is applied in rules. It is an optional parameter. Without the parameter, all TCP/UDP packets match ACL rules. destination-port: specifies destination port of UDP/TCP packets, which is valid only when TCP/UDP protocol is applied in rules. It is an optional parameter. Without the parameter, all TCP/UDP packets match ACL rules. operator: refers to operators used to compare port numbers of source or destination addresses which is an optional parameter. Names and meanings of the operators are shown as follows:
l
range: indicates the port numbers between port1 and port2. port, port1, port2: specify port names or numbers of the TCP/UDP packets; this parameter is represented by names or numbers from 0 to 65535. port-set port-set-name: specifies an port set.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-21
3 Security Defense
precedence precedence: refers to packets are filtered according to precedences, represented by names or numbers in a range of 0 to 7, which is an optional parameter. tos tos: refers to packets are filtered based on the type of services, represented by names or numbers in a range of 0 to 15, which is an optional parameter. logging: determines to log matched packets, which is an optional parameter, including.the sequence number of ACL rules, the state of packets (passed or discarded), the type of upperlayer protocols over IP, the source IP address or destination IP address, the source port number or destination port number, and the time when data packets match the ACL. time-range time-name: refers to the valid period of an ACL rule. time-name is a string of 1 to 32 characters.
Views
Basic ACL view for basic ACL rule commands Advanced ACL view for advanced ACL rule commands
Default Level
2: Configuration level
Usage Guidelines
It is required that you specify the number of the rule that you want to delete. If you are not aware of the number of the rule, you can view it by using the display acl command. Parameters in the undo rule command are described as follows:
l
rule-id Refers to the ID of an existing rule. If no parameter follows it, it means deleting the rule completely. Otherwise, only the relevant information of the rule is deleted.
source/destination Deletes the source or destination address in the corresponding rule only, which is an optional parameter.
source-port/destination-port Deletes the source or destination port in the corresponding rule only, which is an optional parameter. They are only applied in TCP/UDP protocol.
icmp-type Deletes ICMP type and message code in the corresponding rule. It is valid only when ICMP is applied in the rule. It is an optional parameter.
precedence: deletes the information on precedence in the corresponding rule, which is an optional parameter. tos Deletes the information on tos in the corresponding rule only, which is an optional parameter.
time-range Deletes the setting in the corresponding rule that takes effect in the valid period only, which is an optional parameter.
3-22
Issue 03 (2009-06-18)
3 Security Defense
logging Refers to the corresponding rule ceases logging matched packets, which is an optional parameter.
Examples
# Create an ACL 3101 and add a rule in ACL 3101 to deny receiving or sending RIP packets.
<Eudemon> system-view [Eudemon] acl number 3101 [Eudemon-acl-adv-3101] rule deny udp destination-port eq rip
3.2.13 step
Function
Using the step command, you can specify a step for an ACL rule group. Using the undo step command, you can restore the default step.
Format
step step-value undo step
Parameters
step-value: specifies the value of the ACL step.
Views
ACL view
Default Level
2: Configuration level
Usage Guidelines
Step here refers to the difference between each ID. For instance, given the step is set to 5, the IDs are the multiples of 5 beginning with 5. The default is 5. It is easy to insert a rule by using this command. Given there are 4 rules: rule 0, rule 5, rule 10 and rule 15, using the rule 1 xxxx command, you can insert a rule with the number 1 between rule 0 and rule 5.
NOTE
If the step is set, you need to delete the existing rule, including rule 0, before using the step command to change the step or running the undo step command to restore the default step.
Examples
# Set the step of ACL 3101 to 2.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-23
3 Security Defense
<Eudemon> system-view [Eudemon] acl number 3101 [Eudemon-acl-adv-3101] step 2
3.2.14 time-range
Function
Using the time-range command, you can define a time range to specify a special time range. Using the undo time-range command, you can delete a time range.
Format
time-range time-range-name { start-time to [ tomorrow ] end-time days | from time1 date1 [ to time2 date2 ] } undo time-range time-range-name [ start-time to [ tomorrow ] end-time days | from time1 date1 [ to time2 date2 ] ]
Parameters
time-range-name: specifies the name of the time range, a string of 1 to 32 characters long. It must begin with an English letter (a to z or A to Z). It cannot specify the word "all" to avoid confusion. start-time: specifies the start time of the time range in the format of hh:mm. The range of hh is 0 to 24 hours and that of mm is 0 to 59 minutes. The time 24:00 can be configured. to [ tomorrow ] end-time: specifies the end time of the time range in the format of hh:mm. The range of hh is 0 to 24 hours and that of mm is 0 to 59 minutes. days: specifies days in week when the time range is valid. Parameters are described as follows:
l l l l l
Number 0 to 6 refers to Monday to Sunday. Monday to Sunday. working-day refers to Monday to Friday. off-day refers to Saturday and Sunday. daily refers to all the days in week.
from time1 date1: starts from some time of some day, which is an optional parameter:
l
The output format of time1 is hh:mm with hh in a range of 0 to 24 and mm in a range of 0 to 59. The output format of date1 is YYYY/MM/DD with DD in a range of 1 to 31, MM in a range of 1 to 12 and YYYY represented by 4 numbers.
Without the parameter means there is no limit to the start time and only the end time is taken into consideration. to time2 date2: ends at some time of some day, which is an optional parameter. The input formats of time2 and date2 are identical to the ones of the start time. The end time must be later than the start time. Without the parameter, the end time is the greatest time available in the system.
3-24 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
l
Using parameters start-time and end-time to specify the time range whose period is based on week. Moreover, you can specify the valid period by configuring days in the command. Using the key words from and to to specify the valid period of a specific time range.
You can set multiple time ranges with identical names to specify a specific time range and then you can apply the time range by specifying the name.
Examples
# Set the time segment to be valid from Jan. 1, 2003 permanently.
<Eudemon> system-view [Eudemon] time-range test from 0:0 2003/1/1
Format
add interface interface-type interface-number undo add interface interface-type interface-number
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-25
3 Security Defense
Parameters
interface-type: specifies the type of an interface. interface-number: specifies the number of an interface.
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
Except the local zone, all the other security zones should be bound with specific interfaces for use, that is, you should add either physical interfaces or logic interfaces to those zones. This command can be used repeatedly to add interfaces to security zones. A security zone can contain up to 1024 interfaces.
Examples
# Enter trust zone view and add the interface GigabitEthernet 0/0/0 to the trust zone.
<Eudemon> system-view [Eudemon] firewall zone trust [Eudemon-zone-trust] add interface GigabitEthernet 0/0/0
Format
display interzone [ vpn-instance vpn-instance-name | public ] [ zone-name1 zone-name2 ]
Parameters
vpn-instance-name: indicates the name of a VPN instance. The value is a character string of 1 to 19 characters. When vpn-instance-name is specified, it indicates to display the configuration information of the security policies between two security zones of VPN instances. public: displays the configuration information of the security policies between security zones of VPN 0. zone-name1: specifies the name of a security zone. zone-name2: specifies the name of a security zone.
3-26 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If no security zone is specified, you can view all interzones. When viewing the interzone configuration information, the users with different rights can see different results. For example:
l
A superuser can view all interzone configuration information and view the interzone configuration information of the specified VPN instance. When running the display interzone command, a virtual user can view only the interzone configuration information of the VPN instance to which the virtual user belongs. If the virtual user does not belong to the VPN instance, the prompt "Virtual configurer user can't access other VPN-Instance." is returned.
Examples
# Display security policies between the trust zone and the DMZ zone.
<Eudemon> display interzone trust dmz interzone trust DMZ packet-filter 2011 inbound detect ftp
ACL 2011 is applied to filter the inbound packets between the trust zone and the DMZ zone. The ASPF filtering policy is applied on FTP traffic based on state.
Format
display zone [ vpn-instance vpn-instance-name | public ] [ zone-name ] [ interface | priority ]
Parameters
vpn-instance-name: indicates the name of a VPN instance. The value is a character string of 1 to 19 characters. When vpn-instance-name is specified, it indicates to display the configuration information of the security zone of VPN instances.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-27
3 Security Defense
public: displays the configuration information of the security zone of VPN 0. zone-name: specifies the name of a security zone. interface: displays the interfaces in the specified security zone. priority: displays the priority of the specified security zone.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If no security zone is specified, you can view all security zones. Without parameters interface and priority specified, all configuration is displayed.
Examples
# Display the DMZ zone.
<Eudemon> display zone dmz dmz priority is 50 interface of the zone is (0): #
As shown in the above information, the priority of the DMZ zone is 50.
Format
firewall interzone [ vpn-instance vpn-instance-name ] zone-name1 zone-name2
Parameters
vpn-instance-name: indicates the name of a VPN instance. The value is a string of 1 to 19 characters. When vpn-instance-name is specified, it indicates to enter the interzone view of VPN instances. zone-name1: specifies the name of a security zone. zone-name2: specifies the name of a security zone.
3-28 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
To set security policies for zones, you should enter interzone view first. The sequence of zone-name1 and zone-name2 does not depend on priorities.
Examples
# Enter interzone view between the trust zone and the DMZ zone.
<Eudemon> system-view [Eudemon] firewall interzone trust dmz [Eudemon-interzone-trust-dmz]
Format
firewall zone [ vpn-instance vpn-instance-name ] [ name ] zone-name undo firewall zone name zone-name
Parameters
vpn-instance-name: indicates the name of a VPN instance. The value is a character string of 1 to 19 characters. When vpn-instance-name is specified, it indicates to create a security zone of VPN instances and enter the security zone view or the existing security zone view. name: specifies the name of a new or deleted zone. zone-name: specifies the name of the security zone, which is case insensitive and can contain up to 32 characters. The following characters can be applied in the name: A to Z, a to z, 0 to 9 and "_" and the name must start with the letter of A to Z or a to z.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-29
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
In routing mode, there are five default security zones:
l l l l l
Local zone Trust zone DMZ zone Untrust zone Virtual zone
These five security zones can neither be created nor be deleted. In transparent mode and hybrid mode, there are four default security zones:
l l l l
These four security zones can neither be created nor be deleted. Keyword name is used only when you create or delete a zone. You are not required to set the keyword when accessing a zone view. Once a security zone is deleted, all the configurations of the zone will be deleted as well.
Examples
# Create a security zone named userzone and access the zone.
<Eudemon> system-view [Eudemon] firewall zone name userzone [Eudemon-zone-userzone]
Format
set priority security-priority
Parameters
security-priority: sets the priority of a security zone, it is an integer raging from 1 to 100. The greater the value is, the higher the priority is.
3-30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
Only the user-defined security zones can be set with priorities. In routing mode, the priority of the five default security zones (local zone, trust zone, DMZ zone untrust zone and virtual zone) respectively is 100, 85, 50, 5 and 0, which cannot be set manually. In transparent mode and hybrid mode, the priority of the four default security zones (local zone, trust zone, DMZ zone and untrust zone) respectively is 100, 85, 50 and 5, which cannot be set manually. Identical priorities cannot be set to two different security zones in the same system.
Examples
# Set the priority of the security zone userzone to 60.
<Eudemon> system-view [Eudemon] firewall zone name userzone [Eudemon-zone-userzone] set priority 60
3 Security Defense
Format
display firewall session aging-time display firewall session table [ verbose ] [ source { global | inside } ip-address | destination { global | inside } ip-address ] [ source-vpn-instance { source-vpn-instancename | public } | dest-vpn-instance { dest-vpn-instance-name | public } ] [ application protocol | nat ] [ destination-port port-number | long-link ]
Parameters
aging-time: indicates the aging time of each type of entries. table: displays the entry information. verbose: specifies the detailed information of the displayed entry. application protocol: displays the session entry information of the specified application. protocol can be replaced by the following parameters:
l l l l l l l l l l l l l l l l l l l
DNS FTP GTP H323 HTTP HWCC ILS MGCP MMS NBT PPTP QQ RAS RPC RTSP SIP SMTP SQLNET STUN
nat: displays all NAT session entries. destination-port port-number: displays the session entries of the specified communication port. long-link: displays the session entries of a long link. { source-vpn-instance | destination-vpn-instance }: displays the session entries when the source or destination end belongs to the specified VPN instance.
3-32 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
vpn-instance-name: indicates the name of a VPN instance. The value is a character string of 1 to 19 characters. public: displays the session entries of VPN 0. { source | destination }: displays the session entries when the source or destination end is configured with the specified IP address. inside: specifies the IP address of the private network. For the source IP address, inside specifies the intranet IP address before NAT; for the destination IP address, inside specifies the real intranet IP address of the NAT server. global: specifies the public IP address. For the source IP address, global specifies the public IP address after NAT; for the destination IP address, global specifies the public IP address by which the NAT server can be accessed by external users. ip-address: indicates the specified IP address.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
During the process of displaying the total number and specific sessions, new sessions and aged sessions are not included in the total number.
Examples
# Display the aging time of all session entries.
<Eudemon> display firewall session aging-time
Format
firewall fragment-forward enable undo firewall fragment-forward enable
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-33
3 Security Defense
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After the command is configured, if the other parts of the fragmented packet reach the Eudemon earlier than the head of the fragmented packet, the Eudemon directly forwards them.
Examples
# Enable the fragmented packets directly-forwarding function of the Eudemon.
<Eudemon> system-view [Eudemon] firewall fragment-forward enable
Format
firewall fragment-cache enable undo firewall fragment-cache enable
Parameters
None
Views
System view
Default Level
2: Configuration level
3-34 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
By default, the fragment cache function of the Eudemon is enabled.
Examples
# Enable the fragment cache function of the Eudemon.
<Eudemon> system-view [Eudemon] firewall fragment-cache enable
Format
firewall fragment-cache aging-time interval undo firewall fragment-cache aging-time
Parameters
interval: specifies the aging time of the fragment cache; the parameter ranges from 1 ms to 30000 ms. By default, it is 30 ms.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the aging time of the fragment cache to 60 ms.
<Eudemon> system-view [Eudemon] firewall fragment-cache aging-time 60
3 Security Defense
Function
Using the firewall long-link command, you can enable the long link in the interzone view. Using the undo firewall long-link command, you can disable the long link.
Format
firewall long-link acl-number { inbound | outbound } undo firewall long-link { inbound | outbound }
Parameters
acl-number: specifies the number of the ACL in a range of 3000 to 3999. inbound: enables long link in incoming direction between two zones. outbound: enables long link in outgoing direction between two zones.
Views
Interzone view
Default Level
2: Configuration level
Usage Guidelines
The incoming direction and outgoing direction between two zones can associate with ACL rule alone or at the same time. The two directions can also associate with different ACL rules. During configuration, it is recommended not to introduce the ACL rule with large range. Otherwise, the Eudemon performance is affected.
Examples
# Configure the long link in incoming direction between the trust zone and the untrust zone.
<Eudemon> system-view [Eudemon] acl 3001 [Eudemon-acl-adv-3001] rule permit tcp source 1.1.1.1 0.0.0.255 destination 10.1.1.1 0 source-port eq 8060 [Eudemon-acl-adv-3001] quit [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] firewall long-link 3001 inbound
3 Security Defense
Format
firewall long-link aging-time aging-time undo firewall long-link aging-time
Parameters
aging-time: specifies the value of the long link aging time. The value ranges from 1 to 480 hours. By default, the value of long link aging time is 168 hours.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the aging time of all traffic to 240 hours.
<Eudemon> system-view [Eudemon] firewall long-link aging-time 240
Format
firewall session aging-time { ah |dns | esp | fin-rst | fragment | ftp | ftp-data | gre | gtp | h225 | h245 | h323-rtcp | h323-rtp | h323-t120 | http | hwcc | icmp | ils | mgcp | mgcp-rtcp | mgcp-rtp | mms | mms-data | netbios-name | netbios-data | netbios-session | pptp | qq | ras | rpc | rpc-data | rtcp | rtp | rtsp | sip | sip-rtp | sip-rtcp | smtp | sqlnet | sqlnet-data | stun | syn | tcp | udp } seconds firewall session aging-time default undo firewall session aging-time { ah | dns | esp | fin-rst | fragment | ftp | ftp-data | gre | gtp | h225 | h245 | h323-rtcp | h323-rtp | h323-t120 | http | hwcc | icmp | ils | mgcp | mgcpIssue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-37
3 Security Defense
rtcp | mgcp-rtp | mms | mms-data | netbios-name | netbios-data | netbios-session | pptp | qq | ras | rpc | rpc-data | rtcp | rtp | rtsp | sip | sip-rtp | sip-rtcp | smtp | sqlnet | sqlnet-data | stun | syn | tcp | udp }
Parameters
seconds: specifies either the state waiting timeout of session entries when the firewall detects SYN/FIN/RST packets or the idle timeout of the session entries of TCP, UDP,and other protocols mentioned above. It is an integer, in a range of 1 to 65535. default: restores the default aging-time. The default aging time of each protocol is defined as follows:
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l
ah: 240 seconds esp: 240 seconds dns: 240 seconds tcp: 1200 seconds udp: 120 seconds icmp: 20 seconds fragment: 10 seconds fin-rst: 10 seconds gre: 240 seconds gtp: 3600 seconds syn: 5 seconds h225: 10800 seconds h245: 1200 seconds h323-rtcp: 240 seconds h323-rtp: 240 seconds h323-t120: 10800 seconds netbios-name: 240 seconds netbios-session: 240 seconds netbios-data: 240 seconds ftp: 600 seconds ftp-data: 240 seconds hwcc: 240 seconds ils: 600 seconds http: 600 seconds smtp: 1200 seconds sip: 600 seconds sip-rtp: 240 seconds sip-rtcp: 240 seconds ras: 1200 seconds
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3-38
3 Security Defense
rpc: 600 seconds rpc-data: 600 seconds rtsp: 1800 seconds rtcp: 240 seconds rtp: 240 seconds pptp: 600 seconds qq: 120 seconds mgcp: 120 seconds mgcp-rtcp: 60 seconds mgcp-rtp: 50 seconds mms: 600 seconds mms-data: 240 seconds sqlnet: 600 seconds sqlnet-data: 14400 seconds stun: 600 seconds
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The system saves the existing connections and sessions until they expire.
Examples
# Set the SYN waiting timeout for TCP to 20 seconds.
<Eudemon> system-view [Eudemon] firewall session aging-time syn 20
Format
reset firewall session table [ interzone zone-name1 zone-name2 [ address-group addressgroup-number ] | zone zone-name [ address-group address-group-number ] | [ protocol { tcp | udp } ] [ source { global | inside } ip-address | destination { global | inside } ip-address |
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-39
3 Security Defense
Parameters
interzone zone-name1 zone-name2: specifies the security interzone. zone-name1 and zonename2 can be either two of dmz, trust, untrust, local, vzone and the user-defined zone. zone zone-name: specifies the name of the security zones. zone-name can be dmz, trust, untrust, local, vzone or the user-defined zone. address-group address-group-number: specifies the address pool. address-group-number indicates the address pool number. It is an integer in a range of 0 to 127. { source-vpn-instance | destination-vpn-instance }: removes the session entries when the source or destination end belongs to the specified VPN instance. vpn-instance-name: indicates the name of a VPN instance. The value is a character string of 1 to 19 characters. public: removes the session entries of VPN 0. { source | destination }: removes the session entries when the source or destination end is configured with the specified IP address. inside: specifies the IP address of the private network. For the source IP address, inside specifies the intranet IP address before NAT; for the destination IP address, inside specifies the real intranet IP address of the NAT server. global: specifies the public IP address. For the source IP address,global specifies the public IP address before NAT; for the destination IP address, global specifies the public IP address by which the NAT server can be accessed by external users. ip-address: indicates the specified IP address.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
Removing session entries interrupts all the session connections. So, confirm the action before you run the command.
Examples
# Delete the session entries and fragment tables on the Eudemon.
<Eudemon> reset firewall session table
3 Security Defense
3.5.1 display firewall packet-filter default 3.5.2 firewall packet-filter default 3.5.3 packet-filter
Format
display firewall packet-filter default { all [ vpn-instance { vpn-instance-name | public } ] | interzone [ vpn-instance { vpn-instance-name | public } ] zone1 zone2 }
Parameters
all: displays the default packet filter in all interzones. vpn-instance vpn-instance-name: displays the default filter operation between the security zones of VPN instances. When vpn-instance vpn-instance-name is specified, it indicates to display the default operation for VPN instances. public: displays the default filter operation in interzones of VPN 0. interzone: displays the default packet filter in specified interzones. zone1: specifies the name of zone1, which can be a Local zone, Trust zone, DMZ zone, Untrust zone or user-defined zone. zone2: specifies the name of zone2, which can be a Local zone, Trust zone, DMZ zone, Untrust zone or user-defined zone.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the Eudemon default action in all interzones.
<Eudemon> display firewall packet-filter default all
Issue 03 (2009-06-18)
3-41
3 Security Defense
Format
firewall packet-filter default { permit | deny } { { all [ vpn-instance vpn-instance-name ] | interzone [ vpn-instance vpn-instance-name ] zone1 zone2 } [ direction { inbound | outbound } ] } undo firewall packet-filter default { { all [ vpn-instance vpn-instance-name ] | interzone [ vpn-instance vpn-instance-name ] zone1 zone2 } [ direction { inbound | outbound } ] }
Parameters
permit: defaults the filter rule to permit. deny: defaults the filter rule to deny. all: sets the filter rule in all interzones. vpn-instance vpn-instance-name: Configures the default filter rule between the security zones of VPN instances. interzone: sets the filter rule in some interzones. zone1: specifies the name of zone1, which can be a local zone, trust zone, DMZ zone, Untrust zone or user-defined zone. zone2: specifies the name of zone2, which can be a local zone, trust zone, DMZ zone, Untrust zone or user-defined zone. direction: configures the direction that applies the filter rule. inbound: applies the filter rule in the inbound direction. outbound: applies the filter rule in the outbound direction.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the packet in all directions of all interzones is denied passing the Eudemon.
Examples
# Default the filter rule in all interzones on the Eudemon to deny.
3-42 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
3.5.3 packet-filter
Function
Using the packet-filter command, you can apply ACL to the interzone. Using the undo packet-filter command, you can remove the configuration.
Format
packet-filter acl-number { inbound | outbound } undo packet-filter acl-number { inbound | outbound }
Parameters
acl-number: specifies the number of the ACL in a range of 2000 to 3999. inbound: filters inbound packets. outbound: filters outbound packets.
Views
Interzone view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Apply ACL3101 in the interzone between the trust zone and the untrust zone to filter inbound packets.
<Eudemon> system-view [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] packet-filter 3101 inbound
3 Security Defense
3.6.3 display firewall statistic 3.6.4 display firewall statistic stream 3.6.5 firewall defend all enable 3.6.6 firewall defend arp-flood 3.6.7 firewall defend arp-flood enable 3.6.8 firewall defend ddos 3.6.9 firewall defend fraggle enable 3.6.10 firewall defend icmp-flood 3.6.11 firewall defend icmp-flood enable 3.6.12 firewall defend icmp-redirect enable 3.6.13 firewall defend icmp-unreachable enable 3.6.14 firewall defend ip-fragment enable 3.6.15 firewall defend ip-spoofing enable 3.6.16 firewall defend ip-sweep 3.6.17 firewall defend ip-sweep enable 3.6.18 firewall defend land enable 3.6.19 firewall defend large-icmp 3.6.20 firewall defend large-icmp enable 3.6.21 firewall defend log-time 3.6.22 firewall defend ping-of-death enable 3.6.23 firewall defend port-scan 3.6.24 firewall defend port-scan enable 3.6.25 firewall defend route-record enable 3.6.26 firewall defend smurf enable 3.6.27 firewall defend source-route enable 3.6.28 firewall defend syn-flood 3.6.29 firewall defend syn-flood enable 3.6.30 firewall defend tcp-flag enable 3.6.31 firewall defend teardrop enable 3.6.32 firewall defend time-stamp enable 3.6.33 firewall defend tracert enable 3.6.34 firewall defend udp-flood 3.6.35 firewall defend udp-flood enable
3-44 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
3.6.36 firewall defend dns-flood enable 3.6.37 firewall defend dns-flood 3.6.38 firewall defend get-flood enable 3.6.39 firewall defend get-flood 3.6.40 firewall defend get-flood uriblock 3.6.41 firewall defend get-flood blacklist-timeout 3.6.42 firewall defend tcp-illeage-session enable 3.6.43 firewall defend tcp-illeage-session blacklist-timeout 3.6.44 firewall defend tcp-illeage-session number 3.6.45 firewall defend tcp-illeage-session packet 3.6.46 firewall defend winnuke enable 3.6.47 firewall source-ip detect aging-time 3.6.48 firewall statistic system connect-number 3.6.49 firewall statistic system enable 3.6.50 statistic car ip 3.6.51 statistic connect-number 3.6.52 statistic ip-stat 3.6.53 statistic enable
Format
debugging firewall defend tcp-illeage-session undo debugging firewall defend tcp-illeage-session
Parameters
None
Views
User view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-45
3 Security Defense
Default Level
1: Monitoring level
Usage Guidelines
This command is used to debug the TCP full connection attack defense. By default, the function of debugging the TCP full connection attack defense is prohibited.
Examples
# Debug the TCP full connection attack defense.
<Eudemon> debugging firewall defend tcp-illeage-session
Format
display firewall defend flag
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the type of attack defense applied on the Eudemon.
<Eudemon> display firewall defend flag
3 Security Defense
Function
Using the display firewall statistic command, you can view the system statistics, inbound or outbound statistics in some zones, or statistics of some IP addresses in the source or destination address table.
Format
display firewall statistic { system | ip ip-address { source-ip | destination-ip } [ vpninstance vpn-instance-name ] }
Parameters
system: displays the statistics information of the Eudemon. ip ip-address: displays the statistics information of the IP address. ip-address indicates the specified IP address. source-ip: displays the statistics information of the source address table. destination-ip: displays the statistics information of the destination address table. vpn-instance-name: indicates the name of a VPN instance. The value is a character string of 1 to 19 characters..
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the global statistics of the system.
<Eudemon> display firewall statistic system
Format
display firewall statistic stream [ application | basic-protocol | interface ]
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-47
3 Security Defense
Parameters
application: collects statistics on the traffic of each protocol at the application layer, in the unit of Kbit/s. The protocols include EMAIL, FTP, HTTP, QQ, DNS, MSN, SIP, H323, RTSP, GTCP, and GUDP. GTCP indicates the sum of all TCP-based protocol traffic. GUDP indicates the sum of all UDP-based protocol traffic. basic-protocol: collects statistics on the traffic of each basic protocol, in the unit of Kbit/s. The basic protocols include TCP, UDP, ICMP, and OTHER. OTHER indicates the basic protocols except TCP, UDP, and ICMP. interface: collects statistics on the message tranception speed at each interface, in the unit of Kbit/s.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the message tranception speed at each interface of the Eudemon.
<Eudemon> display firewall statistic stream interface
Format
firewall defend all enable undo firewall defend all enable
Parameters
None
Views
System view
3-48 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, disable all attack defense.
Examples
# Enable all attack-defense functions.
<Eudemon> system-view [Eudemon] firewall defend all enable
Format
firewall defend arp-flood interface { interface-type interface-number | all } [ max-rate ratenumber ] firewall defend arp-flood ip ip-address [ vpn-instance vpn-instance-name ] [ max-rate ratenumber ] firewall defend arp-flood zone [ vpn-instance vpn-instance-name ] zone-name [ max-rate rate-number ] undo firewall defend arp-flood [ interface { interface-type interface-number | all } | ip [ ipaddress ] [ vpn-instance vpn-instance-name ] | zone [ vpn-instance vpn-instance-name ] [ zonename ] | vpn-instance vpn-instance-name ]
Parameters
interface: sets a protected interface. In the case of undo mode, it indicates to restore the default value of ARP Flood detection for the interface. If interface is set to all, it indicates to restore the default values of ARP Flood detection for all interfaces. interface-type interface-number: indicates the type and the number of an interface. ip ip-address: specifies the IP address of the host to be protected. Using the undo command, you can disable ARP Flood detection for the IP address. In the case of undo mode, only the ip is listed and the specific ip-address is not specified, ARP Flood for all the protected hosts that are configured with IP addresses is disabled. ARP Flood attack defense can protect up to 1000 IP addresses. zone zone-name: specifies the name of the protected zone. Using the undo command, you can disable ARP Flood detection for all IP addresses in the zone. In the case of undo mode, only
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-49
3 Security Defense
the zone is listed and the specific security zone-name is not specified, the ARP Flood detection for all the protected security zones is disabled. max-rate rate-number: for the interface-based case, when the number of arp packets per second exceeds the threshold, an attack occurs. For the IP or zone-based case, when the number of arp packets per second exceeds the threshold, an attack occurs. For the interface-based case, the value ranges from 100 to 500000 (packets/second). For the IP or zone-based case, the value ranges from 1 to 65535 (packets/second). For the interface-based case, the default value is 50000 (packets/second). For the IP or zone-based case, the default value is 1000 (packets/second). vpn-instance vpn-instance-name: specifies the name of the VPN instance to which the protected host address belongs. It is a string of 1 to 19 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
When configuring the ARP Flood attack defense, the IP-based priority is higher than the zonebased priority. If the ARP Flood attack defense is enabled both specific to a particular IP address and to the zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied. By default, the ARP Flood attack defense is disabled. In addition to the firewall defend arp-flood command, you must use the firewall defend arpflood enable command to enable the global switch when you enable the ARP Flood defence function.
Examples
# Enable the ARP Flood attack defense for the IP and set the rate threshold of arp packets to 500 packet/s.
<Eudemon> system-view [Eudemon] firewall defend arp-flood ip 192.168.0.50 max-rate 500
Format
firewall defend arp-flood enable
3-50 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the ARP Flood attack defense is disabled.
Examples
# Enable the ARP Flood attack defense.
<Eudemon> system-view [Eudemon] firewall defend arp-flood enable
Format
firewall defend ddos acl-number outbound
Parameters
acl-number: specifies the ACL group number with an integer, in the range of 3000 to 3999. outbound: indicates that DDoS attack defense is enabled to filter outbound packets that match entries in an ACL.
Views
Security zone view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-51
3 Security Defense
Usage Guidelines
By default, the DDoS attack defense function is not configured for security zones. The command performs DDoS attack defense using the rule of ACL deny. If a packet matches the rule whose action is deny, the Eudemon does not perform DDoS attack defense against the packet. If a packet matches the rule whose action is permit, the Eudemon performs DDoS attack defense against the packet ( option ).
Examples
# Configure the DDoS attack defense function in the outbound direction of the Untrust zone not to defend against traffic whose source IP address is 10.1.1.1.
<Eudemon> system-view [Eudemon] acl 3000 [Eudemon-acl-adv-3000] rule deny ip source 10.1.1.1 0 [Eudemon-acl-adv-3000] rule permit ip [Eudemon-acl-adv-3000] quit [Eudemon] firewall zone untrust [Eudemon-zone-untrust] firewall defend ddos 3000 outbound
# Configure the DDoS attack defense function in the outbound direction of the Untrust zone to defend against traffic whose source IP address is 10.1.1.1.
<Eudemon> system-view [Eudemon] acl 3001 [Eudemon-acl-adv-3001] rule permit ip source 10.1.1.1 0 [Eudemon-acl-adv-3001] rule deny ip [Eudemon-acl-adv-3001] quit [Eudemon] firewall zone untrust [Eudemon-zone-untrust] firewall defend ddos 3001 outbound
Format
firewall defend fraggle enable undo firewall defend fraggle enable
Parameters
None
Views
System view
3-52 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, the Fraggle attack defense is disabled.
Examples
# Enable the Fraggle attack defense.
<Eudemon> system-view [Eudemon] firewall defend fraggle enable
Format
firewall defend icmp-flood interface { interface-type interface-number | all } [ max-rate ratenumber ] firewall defend icmp-flood ip ip-address [ vpn-instance vpn-instance-name ] [ max-rate ratenumber ] firewall defend icmp-flood zone [ vpn-instance vpn-instance-name ] zone-name [ max-rate rate-number ] firewall defend icmp-flood base-session max-rate [ max-rate ] undo firewall defend icmp-flood [ base-session | interface { interface-type interfacenumber | all } | ip [ ip-address ] [ vpn-instance vpn-instance-name ] | zone [ vpn-instance vpninstance-name ] [ zone-name ] | vpn-instance vpn-instance-name ]
Parameters
interface: sets a protected interface. In the case of undo mode, it indicates to restore the default value of ICMP Flood detection for the interface. If interface is set to all, it indicates to restore the default values of ICMP Flood detection for all interfaces. interface-type interface-number: indicates the type and the number of an interface. ip ip-address: specifies the IP address of the host to be protected. Using the undo command, you can disable ICMP Flood detection for the IP address. In the case of undo mode, only the ip is listed and the specific ip-address is not specified, ICMP Flood for all the protected hosts that are configured with IP addresses is disabled. ICMP Flood attack defense can protect up to 1000 IP addresses.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-53
3 Security Defense
zone zone-name: specifies the name of the protected zone. Using the undo command, you can disable ICMP Flood detection for all IP addresses in the zone. In the case of undo mode, only the zone is listed and the specific security zone-name is not specified, the ICMP Flood detection for all the protected security zones is disabled. max-rate rate-number: for the interface-based case, when the number of ICMP packets per second exceeds the threshold, an attack occurs. For the IP or zone-based case, when the number of ICMP packets per second exceeds the threshold, an attack occurs. For the interface-based case, the value ranges from 100 to 500000 (packets/second). For the IP or zone-based case, the value ranges from 1 to 65535 (packets/second). For the interface-based case, the default value is 500000 (packets/second). For the IP or zone-based case, the default value is 1000 (packets/ second). base-session: sets the maximum transmission rate of all ICMP sessions. max-rate: specifies the maximum rate. The value ranges from 1 to 255 (packets/second) and the default value is 255 (packets/second). vpn-instance vpn-instance-name: specifies the name of the VPN instance to which the protected host address belongs. It is a string of 1 to 19 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
When configuring the ICMP Flood attack defense, the IP-based priority is higher than the zonebased priority. If the ICMP Flood attack defense is enabled both specific to a particular IP address and to the zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied. By default, the ICMP Flood attack defense is disabled. In addition to the firewall defend icmp-flood command, you must use the firewall defend icmp-flood enable command to enable the global switch when you enable the ICMP Flood defence function.
Examples
# Enable the ICMP Flood attack defense for the trust zone and set the rate threshold of ICMP packets to 500 packet/s.
<Eudemon> system-view [Eudemon] firewall defend icmp-flood zone trust max-rate 500
3 Security Defense
Using the undo firewall defend icmp-flood enable command, you can disable the ICMP Flood attack defense globally.
Format
firewall defend icmp-flood enable undo firewall defend icmp-flood enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the ICMP Flood attack defense is disabled.
Examples
# Enable the ICMP Flood attack defense.
<Eudemon> system-view [Eudemon] firewall defend icmp-flood enable
Format
firewall defend icmp-redirect enable undo firewall defend icmp-redirect enable
Parameters
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-55
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the ICMP redirection packet attack defense is disabled.
Examples
# Enable the ICMP redirection packet attack defense.
<Eudemon> system-view [Eudemon] firewall defend icmp-redirect enable
Format
firewall defend icmp-unreachable enable undo firewall defend icmp-unreachable enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the ICMP unreachable packet attack defense is disabled.
Examples
# Enable the ICMP unreachable packet attack defense.
3-56 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Format
firewall defend ip-fragment enable undo firewall defend ip-fragment enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the IP fragment packet attack defense is disabled.
Examples
# Enable the IP fragment packet attack defense.
<Eudemon> system-view [Eudemon] firewall defend ip-fragment enable
3 Security Defense
Format
firewall defend ip-spoofing enable undo firewall defend ip-spoofing enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the IP Spoofing attack defense is disabled.
NOTE
The IP Spoofing attack defense cannot be used when the Eudemon works in transparent mode.
Examples
# Enable IP Spoofing attack defense.
<Eudemon> system-view [Eudemon] firewall defend ip-spoofing enable
Format
firewall defend ip-sweep { max-rate rate-number | blacklist-timeout minutes } undo firewall defend ip-sweep { max-rate | blacklist-timeout }
Parameters
max-rate rate-number: specifies the threshold for destination address changing rate of packets sent from the same source address. The default value of rate-number is 4000 times per second. The number ranges from 1 to 10000 times per second.
3-58 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
blacklist-timeout minutes: adds the source address into the blacklist and set valid time for it. minutes is measured in minutes in a range of 1 to 1000 minutes. By default, the value is 10.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the IP Sweep attack defense is disabled. The firewall defend ip-sweep command is takes effect after you run the firewall defend ip-sweep enable command.
Examples
# Enable the IP Sweep attack defense and set the threshold of sweeping rate to 1000.
<Eudemon> system-view [Eudemon] firewall defend ip-sweep max-rate 1000
Format
firewall defend ip-sweep enable undo firewall defend ip-sweep enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the IP Sweep attack defense is disabled.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-59
3 Security Defense
Examples
# Enable the IP Sweep attack-defense.
<Eudemon> system-view [Eudemon] firewall defend ip-sweep enable
Format
firewall defend land enable undo firewall defend land enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the Land attack defense is disabled.
Examples
# Enable the Land attack defense.
<Eudemon> system-view [Eudemon] firewall defend land enable
3 Security Defense
Format
firewall defend large-icmp max-length length undo firewall defend large-icmp max-length
Parameters
length: refers to the allowed maximum length of ICMP packets in a range of 28 to 65535 bytes. By default, the value is 4000 bytes.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the large ICMP packet attack defense is disabled. When firewall defend large-icmp enable is enabled, the firewall defend large-icmp command is valid.
Examples
# Permit the ICMP packet whose length is less than 4000 bytes to pass.
<Eudemon> system-view [Eudemon] firewall defend large-icmp max-length 4000
Format
firewall defend large-icmp enable undo firewall defend large-icmp enable
Parameters
None
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-61
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enable the defense against large-icmp attacks.
<Eudemon> system-view [Eudemon] firewall defend large-icmp enable
Format
firewall defend log-time interval undo firewall defend log-time
Parameters
interval: specifies the interval for reporting logs. It is expressed in seconds. The default value is 30.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
This command is used to set the interval for reporting logs in the attack scheme. By default, the interval is 30 seconds.
Examples
# Set the interval for reporting logs in the attack scheme to 100s.
<Eudemon> system-view [Eudemon] firewall defend log-time 100
3-62
Issue 03 (2009-06-18)
3 Security Defense
Format
firewall defend ping-of-death enable undo firewall defend ping-of-death enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the Ping of Death attack defense is disabled.
Examples
# Enable the Ping of Death attack defense.
<Eudemon> system-view [Eudemon] firewall defend ping-of-death enable
Format
firewall defend port-scan { max-rate rate-number | blacklist-timeout minutes }
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-63
3 Security Defense
Parameters
max-rate rate-number: specifies the threshold for destination port changing rate of packets sent from the same source address. The default value of rate-number is 4000 times per second. The number ranges from 1 to 10000 times per second. blacklist-timeout minutes: adds the source address into the blacklist and set valid time for it. minutes is in a range of 1 to 1000 minutes. The default value is 10.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the port scan attack defense is disabled. The firewall defend port-scan command is takes effect after you run the firewall defend port-scan enable command.
Examples
# Set the threshold of scanning rate to 1000 and valid time of blacklist to 5 minutes.
<Eudemon> system-view [Eudemon] firewall defend port-scan max-rate 1000 [Eudemon] firewall defend port-scan blacklist-timeout 5
Format
firewall defend port-scan enable undo firewall defend port-scan enable
Parameters
None
Views
System view
3-64 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, the function is disabled.
Examples
# Enable the defense against port scan attacks.
<Eudemon> system-view [Eudemon] firewall defend port-scan enable
Format
firewall defend route-record enable undo firewall defend route-record enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, attack defense for the packet carrying the route record is disabled.
Examples
# Enable attack defense for the packet carrying the route record.
<Eudemon> system-view [Eudemon] firewall defend route-record enable
Issue 03 (2009-06-18)
3-65
3 Security Defense
Format
firewall defend smurf enable undo firewall defend smurf enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the Smurf attack defense is disabled.
Examples
# Enable the Smurf attack defense.
<Eudemon> system-view [Eudemon] firewall defend smurf enable
Format
firewall defend source-route enable undo firewall defend source-route enable
3-66 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, attack defense for the packet carrying the source route is disabled.
Examples
# Enable attack defense for the packet carrying the source route.
<Eudemon> system-view [Eudemon] firewall defend source-route enable
Format
firewall defend syn-flood interface { interface-type interface-number | all } [ max-rate ratenumber ] [ source-detect | tcp-proxy ] [ auto | on | off ] firewall defend syn-flood ip ip-address [ vpn-instance vpn-instance-name ] [ max-rate ratenumber ] [ source-detect | tcp-proxy ] [ auto | on | off ] firewall defend syn-flood zone [ vpn-instance vpn-instance-name ] zone-name [ max-rate rate-number ] [ source-detect | tcp-proxy ] [ auto | on | off ] undo firewall defend syn-flood [ vpn-instance vpn-instance-name | ip [ ip-address ] [ vpninstance vpn-instance-name ] | zone [ vpn-instance vpn-instance-name ] [ zone-name ] | interface { all | interface-type interface-number } ]
Parameters
interface: sets a protected interface. In the case of undo mode, it indicates to restore the default value of SYN Flood detection for the interface. If interface is set to all, it indicates to restore the default values of SYN Flood detection for all interfaces. interface-type interface-number: indicates the type and the number of an interface.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-67
3 Security Defense
ip ip-address: sets the IP address for the protected host. In the case of undo mode, the SYN Flood detection for the IP address is disabled. In the case of undo mode, only the ip is listed and the ip-address is not specified, the SYN Flood detection for all the hosts that are configured with IP address protection is disabled. Through the SYN Flood attack defence function, a maximum of 1000 IP addresses can be simultaneously protected. zone zone-name: sets the name of a protected security zone. In the case of undo mode, the SYN Flood detection for all the IP addresses in the security zone is disabled. In the case of undo mode, only the zone is listed and the zone-name is not specified, the SYN Flood detection for all the protected security zones is disabled. vpn-instance vpn-instance-name: specifies the name of the VPN instance where the host to be protected resides. The value is a string of 1 character to 19 characters. max-rate rate-number: sets the threshold of the SYN packet rate that connects the specific destination IP address, that is, the number of SYN packets per second. When the threshold is exceeded, the attack defence is enabled. For the interface-based case, the value of ratenumber ranges from 1 to 1,000,000 (packets/second). For the IP or zone-based case, the value of rate-number ranges from 1 to 65535 (packets/second). The default value is 1000 (packets/ second). tcp-proxy { auto | on | off }: sets the enabling state of TCP proxy. If auto is configured in the command, TCP proxy can start automatically when the protected host is attacked by SYN Flood and close automatically when the host is safe. on/off refers to TCP proxy is enabled/disabled manually no matter the host is attacked by SYN Flood or not. The tcp service will be interrupted if off is configured and the protected host is attacked by SYN Flood. The default value of TCP proxy is auto, that is, the system determines to start/close TCP proxy. source-detect: sets the enabling state of TCP reverse detection. auto indicates automatic enabling. When detecting that the protected host is attacked by SYN Flood, the TCP reverse detection is automatically enabled. When the host is safe, the TCP reverse detection is automatically disabled. on indicates manual enabling, that is, the TCP reverse detection is enabled no matter whether the protected host is attacked by SYN Flood. off indicates manual disabling, that is, the TCP agent is disabled no matter whether the protected host is attacked by SYN Flood. The tcp service will be interrupted if off is configured and the protected host is attacked by SYN Flood. The default value of tcp-proxy is auto. That is, enabling or disabling the TCP agent depends on the system.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The SYN Flood configurations include: TCP Proxy agent and TCP reverse detection. You can select one of them according to the networking situation of the round-trip paths. If the roundtrip paths are inconsistent, you must select TCP reverse detection. Host or zone-based SYN Flood attack defence forcibly enables the interface-based SYN Flood attack defence. If an interface is configured with the TCP agent, the TCP agent function of the interface is enabled. If the interface is configured with TCP reverse detection, the TCP reverse detection function of the interface is enabled.
3-68 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
The priority pf the SYN Flood IP configuration is higher than that of the security zone configuration. If the SYN Flood attack defence function is enabled for the specific IP configuration, and the defence function is enabled for the security zone where the IP address resides, the detection parameters of the IP address depend on the IP configuration. If the IP configuration is cancelled, the detection parameters of the IP address depend on the security zone configuration. By default, SYN Flood attack defense is disabled. In addition to the firewall defend syn-flood command, you must use the firewall defend synflood enable command to enable the global switch when you enable SYN Flood defence.
Examples
# Set the threshold of the SYN packet connection rate to 100 packets/second, and manually enable the TCP agent function.
<Eudemon> system-view [Eudemon] firewall defend syn-flood zone trust max-rate 100 tcp-proxy on
Format
firewall defend syn-flood enable undo firewall defend syn-flood enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, SYN Flood attack defense is disabled in the global scope.
Examples
# Enable SYN Flood attack defense in the global scope.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-69
3 Security Defense
Format
firewall defend tcp-flag enable undo firewall defend tcp-flag enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, TCP flag validity detection is disabled.
Examples
# Enable TCP flag validity detection.
<Eudemon> system-view [Eudemon] firewall defend tcp-flag enable
Format
firewall defend teardrop enable
3-70 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, Teardrop attack defense is disabled.
Examples
# Enable Teardrop attack defense.
<Eudemon> system-view [Eudemon] firewall defend teardrop enable
Format
firewall defend time-stamp enable undo firewall defend time-stamp enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-71
3 Security Defense
Usage Guidelines
By default, the function is disabled.
Examples
# Enable the Timestamp attack defense.
<Eudemon> system-view [Eudemon] firewall defend time-stamp enable
Format
firewall defend tracert enable undo firewall defend tracert enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, Tracert packet attack defense is disabled.
Examples
# Enable Tracert packet attack defense.
<Eudemon> system-view [Eudemon] firewall defend tracert enable
3 Security Defense
Function
Using the firewall defend udp-flood command, you can set the parameter values of the UDP Flood attack detection function. Through the command, you can protect the specified interface, IP address, or security zone. In addition, you can set the threshold of the rate of the UDP packets for the protection object. Using the undo firewall defend udp-flood command, you can disable UDP Flood attack defense.
Format
firewall defend udp-flood interface { interface-type interface-number | all } [ max-rate maxrate ] firewall defend udp-flood ip ip-address [ vpn-instance vpn-instance-name ] [ alert alertrate ] [ max-rate rate-number ] firewall defend udp-flood zone [ vpn-instance vpn-instance-name ] zone-name [ alert alertrate ] [ max-rate rate-number ] firewall defend udp-flood source-max-rate rate-number interval interval-value undo firewall defend udp-flood [ interface { interface-type interface-number | all } | ip ipaddress [ vpn-instance vpn-instance-name ] | source-max-rate | zone [ vpn-instance vpninstance-name ] zone-name | vpn-instance vpn-instance-name ]
Parameters
interface: sets a protected interface. In the case of undo mode, it indicates to restore the default value of UDP Flood detection for the interface. If interface is set to all, it indicates to restore the default values of UDP Flood detection for all interfaces. interface-type interface-number: indicates the type and the number of an interface. ip ip-address: sets a protected IP address. In the case of undo mode, the UDP Flood detection for the IP address is disabled. In the case of undo mode, only the ip is listed and the ipaddress is not specified, the UDP Flood detection for all the hosts that are configured with IP address protection is disabled. Through the UDP Flood attack defence function, a maximum of 1000 IP addresses can be simultaneously protected. zone zone-name: sets a protected security zone. In the case of undo mode, the UDP Flood detection for all the IP addresses in the security zone is disabled. In the case of undo mode, only the zone is listed and the zone-name is not specified, the UDP Flood detection for all the protected security zones is disabled. alert alert-rate: sets the alarm rate for IP or security zone-based UDP packets. When the number of UDP packets per second exceeds the threshold, an attack occurs. Fingerprint filter is enabled. The value ranges from 1 to 30000. The default value is 500 packets/second. max-rate rate-number: For the interface-based case, when the number of first UDP packets of each link per second exceeds the threshold, an attack occurs. The rate of first UDP packets of each link of the interface is restricted. For the IP or security zone-based case, when the number of UDP packets per second exceeds the threshold, the destination rate restriction is performed. For the IP or security zone-based case, the value ranges from 1 to 65535 (packets/second). For the interface-based case, the value ranges from 100 to 500000 (packets/second). For the IP or
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-73
3 Security Defense
security zone-based case, the default value is 1000 (packets/second). For the interface-based case, the default value is 500000 (packets/second). source-max-rate rate-number: sets the threshold of the UDP packet rate of the source IP protection object. When IP or security zone-based attack defence is enabled, the command is valid and the source rate is restricted. The value ranges from 1 to 10,000. The default value is 300. interval interval-value: sets a time interval to collect statistics of UDP packets. The value ranges from 1 to 60 in seconds. The default value is 5 seconds. vpn-instance vpn-instance-name: specifies the name of the VPN instance where the host to be protected resides. The value is a string of 1 character to 19 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The priority of the UDP Flood IP configuration is higher than that of the security zone configuration. If the UDP Flood attack defence function is enabled for the specific IP configuration, and the defence function is enabled for the security zone where the IP address resides, the detection parameters of the IP address depend on the IP configuration. If the IP configuration is cancelled, the detection parameters of the IP address depend on the security zone configuration. By default, UDP Flood attack defense is disabled. When UDP traffic exceeds the configured alert-value, the Eudemon identifies the attack traffic and filters the attack traffic based on the packet fingerprint. If the Eudemon cannot obtain the fingerprint of attack traffic, the Eudemon restricts the rate based on the source and destination IP addresses. In addition to the firewall defend udp-flood command, you must use the firewall defend udpflood enable command to enable the global switch when you enable the UDP Flood defence function.
Examples
# set the threshold of the first UDP packet alarm rate to 500 packets/second, and set the threshold of the maximum rate to 1000 packets/second.
<Eudemon> system-view [Eudemon] firewall defend udp-flood zone trust alert 500 max-rate 1000
3 Security Defense
Using the undo firewall defend udp-flood enable command, you can disable the UDP Flood attack defense globally.
Format
firewall defend udp-flood enable undo firewall defend udp-flood enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the UDP Flood attack defense is disabled globally.
Examples
# Enable the UDP Flood attack defense globally.
<Eudemon> system-view [Eudemon] firewall defend udp-flood enable
Format
firewall defend dns-flood enable undo firewall defend dns-flood enable
Parameters
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-75
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the DNS Flood attack defense is disabled globally.
Examples
# Enable the DNS Flood attack defense globally.
<Eudemon> system-view [Eudemon] firewall defend dns-flood enable
Format
firewall defend dns-flood interface { interface-type interface-number | all } [ alert alertrate ] [ max-rate max-rate ] firewall defend dns-flood ip ip-address [ vpn-instance vpn-instance-name ] [ alert alertrate ] [ max-rate rate-number ] firewall defend dns-flood zone [ vpn-instance vpn-instance-name ] zone-name [ alert alertrate ] [ max-rate rate-number ] firewall defend dns-flood source-max-rate rate-number interval interval-value undo firewall defend dns-flood [ interface { interface-type interface-number | all } | ip ipaddress [ vpn-instance vpn-instance-name ] | source-max-rate | zone [ vpn-instance vpninstance-name ] zone-name | vpn-instance vpn-instance-name ]
Parameters
interface: sets a protected interface. In the case of undo mode, it indicates to disable the DNS Flood detection for the interface. If interface is set to all, it indicates to disable the DNS Flood detection for all interfaces. interface-type interface-number: indicates the type and the number of an interface.
3-76 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
ip ip-address: sets a protected IP address. In the case of undo mode, the DNS Flood detection for the IP address is disabled. In the case of undo mode, only the ip is listed and the ipaddress is not specified, the DNS Flood detection for all the hosts that are configured with IP address protection is disabled. Through the DNS Flood attack defence function, a maximum of 1000 IP addresses can be simultaneously protected. zone zone-name: sets a protected security zone. In the case of undo mode, the DNS Flood detection for all the IP addresses in the security zone is disabled. In the case of undo mode, only the zone is listed and the zone-name is not specified, the DNS Flood detection for all the protected security zones is disabled. alert alert-rate: sets the threshold of the alert-rate of the DNS query packets to the specific destination IP address. That is, when the number of DNS query packets in the alert-rate time exceeds the threshold, an alarm is generated. For the IP or security zone-based case, the value ranges from 1 to 30000 (packets/second). For the interface-based case, the value ranges from 1 to 500000 (packets/second). For the IP or security zone-based case, the default value is 500 (packets/second). For the interface-based case, the default value is 1000 (packets/second). max-rate rate-number: sets the threshold of the rate of DNS query packets to the specific destination IP address. That is, when the number of DNS query packets per second exceeds the threshold, an attack occurs. For the IP or security zone-based case, the value ranges from 1 to 65535 (packets/second). For the interface-based case, the value ranges from 1 to 500000 (packets/second). For the IP or security zone-based case, the default value is 1,000 (packets/ second). For the interface-based case, the default value is 500000 (packets/second). source-max-rate rate-number: sets the threshold of the rate of the DNS query packets for the protection object. When IP or security zone-based attack defence is enabled, the firewall defend dns-flood source-max-rate command is valid and the source rate is restricted. The value ranges from 1 to 10,000. The default value is 300. interval interval-value: sets a time interval to collect statistics of DNS query packets. The value ranges from 1 to 60 in seconds. The default value is 2 seconds. vpn-instance vpn-instance-name: specifies the name of the VPN instance where the host to be protected resides. The value is a string of 1 character to 19 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
In addition to the firewall defend dns-flood command, you must use the firewall defend dnsflood enable command to enable the global switch when you enable the DNS Flood defence function.
Examples
# Set the threshold of the first DNS packet alarm rate to 600 packets/second, and set the threshold of the maximum rate to 2000 packets/second.
<Eudemon> system-view
Issue 03 (2009-06-18)
3-77
3 Security Defense
Format
firewall defend get-flood enable undo firewall defend get-flood enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the GET Flood attack defense is disabled globally.
Examples
# Enable the GET Flood attack defense globally.
<Eudemon> system-view [Eudemon] firewall defend get-flood enable
3 Security Defense
Format
firewall defend get-flood ip ip-address [ vpn-instance vpn-instance-name ] [ alert alert-rate interval interval-value1 restore restore-value interval interval-value2 ] [ max-rate ratenumber ] firewall defend get-flood zone [ vpn-instance vpn-instance-name ] zone-name [ alert alertrate interval interval-value1 restore restore-value interval interval-value2 ] [ max-rate ratenumber ] undo firewall defend get-flood [ ip [ ip-address ] [ vpn-instance vpn-instance-name ] | zone [ vpn-instance vpn-instance-name ] [ zone-name ] | vpn-instance vpn-instance-name ]
Parameters
ip ip-address: sets a protected IP address. In the case of undo mode, the GET Flood detection for the IP address is disabled. In the case of undo mode, only the ip is listed and the specific ipaddress is not specified, the GET Flood detection for all the protected hosts that are configured with IP addresses is disabled. Through the GET Flood attack defence function, a maximum of 1000 IP addresses can be simultaneously protected. zone zone-name: sets the name of a protected security zone. In the case of undo mode, the GET Flood detection for all the IP addresses in the security zone is disabled. In the case of undo mode, only the zone is listed and the specific security zone-name is not specified, the GET Flood detection for all the protected security zones is disabled. alert alert-rate: sets the threshold of the alarm rate of the get or post packets to the specific destination IP address. That is, when the number of get or post packets in the interval-value1 time exceeds the threshold, an alarm is generated. The value ranges from 2 to 65535 in packets/ second. The default value is 200 (packets/second). interval interval-value1: sets a time interval to collect statistics of get or post packets. The value ranges from 1 to 30 in seconds. The default value is 2 seconds. restore restore-value: sets the threshold of alarm cancellation for the original IP address. That is, when the number of get or post packets in the interval-value2 time under the threshold, an alarm is cancelled. The value ranges from 1 to 65535 in packets/second. The default value is 2000 packets/second. interval interval-value2: sets a time interval to collect statistics of get or post packets. The value ranges from 1 to 3600 in seconds. The default value is 60 seconds. max-rate rate-number: sets the threshold of the rate of get or post packets to the specific destination IP address. The value ranges from 1 to 65535 in packets/second. The default value is 3000 (packets/second). vpn-instance vpn-instance-name: specifies the name of the VPN instance where the host to be protected resides. The value is a string of 1 character to 19 characters.
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-79
3 Security Defense
Usage Guidelines
In addition to use the firewall defend get-flood command, you must use the firewall defend get-flood enable command to enable the global switch when you enable the GET Flood defence function.
Examples
# Set the alarm rate of the Eudemon in two seconds based on the DMZ security zone to 2000 packets/second. Cancel the alarm when the rate of a get or post packet in 20 seconds is lower than 2000 packets/second.
<Eudemon> system-view [Eudemon] firewall defend get-flood zone dmz alert 2000 interval 2 restore 2000 interval 20
Format
firewall defend get-flood uriblock uriblock-number interval interval-value undo firewall defend get-flood uriblock
Parameters
uriblock-number: indicates the threshold of the sampled HTTP request packets with the same URI. The value ranges from 2 to 30. The default value is 4. interval interval-value: sets a time interval to collect the number of HTTP request packets. The value ranges from 1 to 60 in seconds. The default value is 5 seconds.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
3-80 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Add the user to the blacklist when the number of HTTP request packets with the same URI in 2 seconds reaches 4.
<Eudemon> system-view [Eudemon] firewall defend get-flood uriblock 4 interval 2
Format
firewall defend get-flood blacklist-timeout interval undo firewall defend get-flood blacklist-timeout
Parameters
interval: indicates the aging time of the blacklist. The value ranges from 1 to 1000 in minutes. The default value is 8 minutes.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the aging time of the blacklist to 10 minutes.
<Eudemon> system-view [Eudemon] firewall defend get-flood blacklist-timeout 10
3 Security Defense
Using the undo firewall defend tcp-illeage-session enable command, you can disable tcpilleage-session attack defence.
Format
firewall defend tcp-illeage-session enable undo firewall defend tcp-illeage-session enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enable tcp-illeage-session attack defence.
<Eudemon> system-view [Eudemon] firewall defend tcp-illeage-session enable
Format
firewall defend tcp-illeage-session blacklist-timeout interval undo firewall defend tcp-illeage-session blacklist-timeout
Parameters
interval: indicates the aging time of the blacklist. The value ranges from 1 to 1000 in minutes. The default value is 8 minutes.
3-82 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The IP address added to the blacklist because an exceptional session exceeds the configured threshold is aged after the interval. The IP address is considered as a normal IP address and can access the server again. In addition to the firewall defend tcp-illeage-session command, you must use the firewall defend tcp-illeage-session enable command to enable the global switch when you enable the tcp-illeage-session attack detection function. By default, the default value is used.
Examples
# Set the aging time of the blacklist to 10 minutes.
<Eudemon> system-view [Eudemon] firewall defend tcp-illeage-session blacklist-timeout 10
Format
firewall defend tcp-illeage-session number session-number [ interval interval ] undo firewall defend tcp-illeage-session number
Parameters
session-number: sets the threshold of the exceptional session number. The value ranges from 1 to 255. The default value is 8. interval: collects statistics of the time interval of the session number. The value ranges from 1 to 240 in seconds. The default value is 15 seconds.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-83
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
When the exceptional session number generated in the interval of a source exceeds the value of session-number, the source is identified as a TCP multi-link attacker and is added to the blacklist. In addition to the firewall defend tcp-illeage-session command, you must use the firewall defend tcp-illeage-session enable command to enable the global switch when you enable the tcp-illeage-session attack detection function. By default, the default value is used.
Examples
# Configure Connection Flood attack defence.
<Eudemon> system-view [Eudemon] firewall defend tcp-illeage-session number 10 interval 15
Format
firewall defend tcp-illeage-session packet packet-number [ interval interval ] undo firewall defend tcp-illeage-session packet
Parameters
packet-number: sets the threshold of the switching packet number. The value ranges from 1 to 255. The default value is 1. interval: collects statistics of the time interval of the session number. The value ranges from 1 to 240 in seconds. The default value is 15 seconds.
Views
System view
Default Level
2: Configuration level
3-84 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
After a TCP session is created, the session is identified as an exceptional session (that is, a useless session) that is generated by the attacker generally when the switching packet number in the interval second is smaller than the value of packet-number. In addition to the firewall defend tcp-illeage-session command, you must use the firewall defend tcp-illeage-session enable command to enable the global switch when you enable the tcp-illeage-session attack detection function. By default, the default value is used.
Examples
# Configure Connection Flood attack defence.
<Eudemon> system-view [Eudemon] firewall defend tcp-illeage-session packet 1 interval 15
Format
firewall defend winnuke enable undo firewall defend winnuke enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the WinNuke attack defense is disabled.
Examples
# Enable the WinNuke attack defense.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-85
3 Security Defense
Format
firewall source-ip detect aging-time interval undo firewall source-ip detect aging-time
Parameters
interval: specifies the aging time of the source IP monitoring table. It is an integer that ranges from 1 to 65535, in minutes.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
When the TCP reverse detection is configured, the Eudemon detects the source IP address for sending SYN packets and adds the correct IP address to the source IP address monitoring table. Follow-up SYN packets from this IP address are forwarded by matching the source IP address monitoring table. The aging time of the source IP address monitoring table can be configured as required. By default, the aging time of the source IP monitoring table is 1 minute.
Examples
# Set the aging time of the source IP monitoring table is 10 minutes.
<Eudemon> system-view [Eudemon] firewall source-ip detect aging-time 10
3 Security Defense
Function
Using the firewall statistic system connect-number command, you can set the total number of TCP/UDP connections in the system. Using the undo firewall statistic system connect-number command, you can restore the default value.
Format
firewall statistic system connect-number { tcp | udp | icmp | tcp-proxy } threshold-value undo firewall statistic system connect-number { tcp | udp | icmp | tcp-proxy }
Parameters
tcp: refers to TCP connections. udp: refers to UDP connections. icmp: refers to ICMP connections. tcp-proxy: refers to TCP Proxy connections. threshold-value: refers to the total threshold. When you set tcp, the value ranges from 1 to 2000000. The default value is 2000000. When you set udp, the value ranges from 1 to 2000000. The default value is 2000000. When you set icmp, the value ranges from 1 to 500000. The default value is 20480. When you set tcp-proxy, the value ranges from 1 to 2000000. The default value is 250000.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Here the connection number refers to the total number of connections on both directions in the system. The Eudemon outputs an alert log for the irregular connection number over the threshold value.
CAUTION
You are required to use the firewall statistic system connect-number command in system view to set values associated with the system and to use the statistic connect-number command in zone view to set values associated with zone/IP.
Examples
# The threshold value of system-based TCP connections is 120,000.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-87
3 Security Defense
Format
firewall statistic system enable undo firewall statistic system enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, statistics is enabled in the global scope.
Examples
# Enable statistics in the global scope.
<Eudemon> system-view [Eudemon] firewall statistic system enable
3 Security Defense
Format
statistic car ip { inbound | outbound } car-class acl-number acl-number undo statistic car ip { inbound | outbound } car-class acl-number acl-number
Parameters
ip: refers to the value of the IP address. inbound: refers to the inbound direction in the zone. outbound: refers to the outbound direction in the zone. car-class: specifies the IP bandwidth class, in the range of 1 to 7. acl-number acl-number: specifies the ACL number, in the range of 2000 to 3999.
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
In addition, you can set the bandwidth for an IP address in the incoming and outgoing directions respectively, and specify dissimilar bandwidth classes for different IP addresses based on ACL. Enable IP-based statistics in the trust zone to take statistics using statistic enable.
Examples
# Set the inbound bandwidth class of each IP in the untrust zone to 3 (bandwidth 1000000 bit/ s).
<Eudemon> system-view [Eudemon] firewall car-class 3 1000000 [Eudemon] acl 2000 [Eudemon-acl-basic-2000] rule permit [Eudemon-acl-basic-2000] quit [Eudemon] firewall zone untrust [Eudemon-zone-untrust] statistic enable ip inzone [Eudemon-zone-untrust] statistic car ip inbound 3 acl-number 2000
3 Security Defense
Format
statistic connect-number ip { tcp | udp } { inbound | outbound } connect-class aclnumber acl-number undo statistic connect-number ip { tcp | udp } { inbound | outbound } connect-class aclnumber acl-number
Parameters
ip: refers to the value of the IP address. inbound: refers to the inbound direction in the zone. outbound: refers to the outbound direction in the zone. tcp: refers to the TCP connection. udp: refers to the UDP connection. connect-class: indicates the class of the global connection number. The value ranges from 1 to 7. acl-number acl-number: indicates the ACL rule matching the TCP or UDP connection. The value ranges from 2000 to 3999.
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
Here the value for zone/IP-based connections is defined according to the packet transmission direction related to the destination zone. The Eudemon outputs an alert log for an irregular number over the high-value and restricts connection requests to the zone. When the number drops to the low-value, the Eudemon outputs a normal log and cancels the limit. You need to run the firewall statistic system connect-number command in the system view to set the parameters related with the system. In addition, you need to run the statistic connectnumber command in the security zone view to set the parameters related with security zones or IP addresses. Enable IP-based statistics in the trust zone to take statistics using statistic enable.
Examples
# Set the number class of the TCP connections originated in the inbound direction of the untrust security zone to 2 and set the TCP connections to match ACL2000.
<Eudemon> system-view [Eudemon] firewall conn-class 2 5000 [Eudemon] acl 2000 [Eudemon-acl-basic-2000] rule permit source 1.1.1.1 0.0.0.0 [Eudemon-acl-basic-2000] quit
3-90
Issue 03 (2009-06-18)
3 Security Defense
[Eudemon] firewall zone untrust [Eudemon-zone-untrust] statistic enable ip inzone [Eudemon-zone-untrust] statistic connect-number ip tcp inbound 2 acl-number 2000
Format
statistic ip-stat { inbound | outbound } acl-number acl-number undo statistic ip-stat { inbound | outbound }
Parameters
inbound: refers to the inbound direction in the zone. outbound: refers to the outbound direction in the zone. acl-number acl-number: indicates the ACL rule matching the TCP or UDP connection. The value ranges from 3000 to 3999. If you choose to configure the deny parameter, it indicates that the number of IP connections is not limited and the permit parameter is not configured.
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
The relationships between the commands used for restrict the trffic or bandwidth are described as follows:
l
Use the statistic enable command to enable the IP statistics function in the inbound or outbound security zone. Otherwise, other commands do not take effect. Use the firewall conn-class or firewall car-class command to configure the level of the number of IP connections or the bandwidth. Otherwise, the statistic ip-stat, statistic connect-number, and statistic car ip commands do not take effect. Use the statistic connect-number or statistic car ip command to specify the level of the number of IP connections or the bandwidth in the inbound or outbound security zone. Use the statistic ip-stat command to set the trffic type for which the number of IP connections or bandwidth is not restricted, in the inbound or outbound security zone. If the number of IP connections or bandwidth in a network segment or at an IP address is already restricted by using the statistic connect-number or statistic car ip command, you can use statistic ip-stat to configure this function so as to cancel the restriction on the number of
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-91
Issue 03 (2009-06-18)
3 Security Defense
IP connections or bandwidth for certain services or the source IP address in this network segment or at this IP address.
Examples
# Limit the inbound TCP traffic to 100.1.1.2 in the untrust zone based on connection class or bandwidth class.
<Eudemon> system-view [Eudemon] acl number 3300 [Eudemon-acl-adv-3300] rule deny tcp destination 100.1.1.2 0 [Eudemon-acl-adv-3300] quit [Eudemon] firewall zone untrust [Eudemon-zone-untrust] statistic ip-stat inbound acl 3300
Format
statistic enable ip { inzone | outzone } undo statistic enable ip { inzone | outzone }
Parameters
inzone: collects statistics of the data packets in the inbound direction based on an IP address. The data packets in the inbound direction indicate the data packets whose destination addresses are in the security zone and the data packets are collected according to the destination addresses in the case of IP-based statistics. outzone: collects statistics of the data packets in the outbound direction based on an IP address. The data packets in the outbound direction indicate the data packets whose source addresses are in the security zone and the data packets are collected according to the source addresses in the case of IP-based statistics.
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
By default, IP-based statistics is disabled.
3-92 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Enable IP-based statistics in the trust zone to take statistics on inbound packets on the basis of destination addresses only.
<Eudemon> system-view [Eudemon] firewall zone trust [Eudemon-zone-trust] statistic enable ip inzone
Format
aspf packet-filter acl-number { inbound | outbound } undo aspf packet-filter { inbound | outbound }
Parameters
acl-number: Specifies the number of an ACL. It is an integer ranging from 2000 to 3999. ACLs with the number from 2000 to 2999 are basic ACLs; ACLs with the number from 3000 to 3999 are advanced ACLs. inbound: Configures inbound packet filtering in the interzone. outbound: Configures outbound packet filtering in the interzone.
Views
Interzone view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-93
3 Security Defense
Usage Guidelines
By configuring the aspf packet-filter command, you can filter the packets that match the triplet ServerMap table and control packet filtering in a more precise manner.
Examples
# Configure filtering rules for the packets that match the triplet ServerMap table.
<Eudemon> system view [Eudemon] acl number 2001 [Eudemon-acl-basic-2001] rule deny source 10.1.1.1 0 [Eudemon-acl-basic-2001] quit [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] aspf packet-filter 2001 outbound
Format
debugging e1000-aspf { all | codec | hrp } undo debugging e1000-aspf { all | codec | hrp }
Parameters
all: indicates all ASPF debugging information. codec: indicates the aspf codec debugging information. hrp: indicates the aspf HRP debugging information.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
By default, ASPF debugging is disabled. Be caution to use this command.
Examples
# Display all ASPF debugging information.
<Eudemon> debugging e1000-aspf all
3-94
Issue 03 (2009-06-18)
3 Security Defense
3.7.3 detect
Function
Using the detect command, you can apply ASPF on application layer protocols. Using undo detect command, you can remove the configuration.
Format
detect protocol [ acl-number { inbound | outbound } ] undo detect protocol { inbound | outbound }
Parameters
protocol: indicates the protocol name supported by ASPF. In the interzone view, the optional parameters are ftp, http, hwcc, h323, msn, qq, mgcp, rtsp, mms, netbios, pptp, rpc, sip, sqlnet, activexblocking, and java-blocking. They indicate setting all ASPF application protocol detection and setting the ACLs of Activex block and Java program block. In the intrazone view, the optional parameters are ftp, h323, mgcp, rtsp, sip, and sqlnet. acl-number: indicates the basic ACL number. The value ranges from 2000 to 2999. It is valid only when the protocol is java-blocking and activex-blocking. inbound: processes the data packets from a low-priority zone to a high-priority zone. outbound: processes the data packets from a high-priority zone to a low-priority zone.
Views
interzone view/security zone view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Apply ASPF on HTTP protocols and define ACL2001 to filter Java Applets from 10.1.1.1. The server is in the trust security zone of the Eudemon.
<Eudemon> system-view [Eudemon] acl number 2001 [Eudemon-acl-basic-2001] rule permit source 10.1.1.1 0 [Eudemon-acl-basic-2001] quit [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] detect http [Eudemon-interzone-trust-untrust] detect java-blocking 2001
3 Security Defense
Function
Using the detect user-define command, you can enable the triplet process on the Eudemon. Using the undo detect user-define command, you can disable this function.
Format
detect user-define acl-number { inbound | outbound } [ aging-time ] undo detect user-define { inbound | outbound } [ aging-time ]
Parameters
acl-number: specifies an ACL rule that is required in the triplet process. It is in the range of 2000 to 3999. By default, it is 0, that is, no user-define is configured. inbound: processes the data packets from a low-priority zone to a high-priority zone. outbound: processes the data packets from a high-priority zone to a low-priority zone. aging-time: specifies the value of the servermap entries aging time. The value ranges from 1 to 65535 seconds. By default, the value of servermap entries aging time is 120 seconds.
Views
Interzone view
Default Level
2: Configuration level
Usage Guidelines
By default, this function is disabled.
Examples
# Enable the triplet process between the Trust zone and Untrust zone. The ACL to be matched is 2000 .
<Eudemon> system-view [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] detect user-define inbound 2000
3 Security Defense
Format
display firewall servermap [ ip ip-address ] [ vpn-instance { vpn-instance-name | public } ]
Parameters
ip-address: indicates an IP address. vpn-instance vpn-instance-name: specifies the VPN instance name with a string, in the range of 1 character to 19 characters. public: displays the entries of VPN 0.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
When viewing server map entries, the users with different rights can see different results.
l
A superuser can view all the configured server map entries and view the server map entries belonging to the VPN according to the specified VPN instance. When running the display firewall server-map command, a virtual user can view only the server map entries of the VPN instance to which the virtual user belongs.
When the virtual user run the display firewall server-map command containing vpninstance, the Eudemon displays the server map entries of the VPN instance to which the virtual user belongs. Otherwise, the prompt "Virtual configurer user can't access other VPN-Instance." is displayed.
Examples
# Display the information of server map entries according to the specified VPN for a superuser.
<Eudemon> display firewall server-map vpn-instance public
3 Security Defense
Function
Using the display firewall blacklist command, you can view the running and entries of the blacklist on the Eudemon.
Format
display firewall blacklist { enable | item [ ip-address ] [ vpn-instance { vpn-instance-name | public } ] | filter-type }
Parameters
enable: displays whether the blacklist of various types is enabled. item source-address: displays the information of blacklist entries. source-address indicates the IP address of an entry. If source-address is specified, it indicates to display the detailed information of the specified blacklist entry. If source-address is not specified, it indicates to display the brief information of all the current blacklist entries. filter-type: displays the filter type of the blacklist. vpn-instance vpn-instance-name: displays the information of the blacklist entries of a VPN instance. vpn-instance-name indicates the name of a VPN instance. The value is a character string of 1 to 19 characters. If vpn-instance-name is specified, it indicates to display the information of the blacklist entries of a VPN instance. public: displays the information of the backlist entries of VPN 0.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
item [ source-address ] displays the information of blacklist entries. If source-address is not specified, it indicates to display the brief information of all the current blacklist entries. If sourceaddress is specified, it indicates to display the detailed information of the specific blacklist entry. enable displays the running of the blacklist function. When viewing the backlist, the users with different rights can see different results. For example:
l
A superuser can view all the configured blacklist entries and view the blacklist entries belonging to the specified VPN instance. When running the display firewall blacklist command, a virtual user can view only the blacklist rules of the VPN instance to which the virtual user belongs.
When the virtual user run the display firewall blacklist command containing vpn-instance, the Eudemon displays the blacklist items of the VPN instance to which the virtual user belongs. Otherwise, the prompt "Virtual configurer user can't access other VPN-Instance." is displayed.
3-98 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Display the brief information of all blacklist entries.
<Eudemon> display firewall blacklist item
Format
firewall blacklist aging-time { auth-failed minutes | login-failed minutes } undo firewall blacklist aging-time { auth-failed | login-failed }
Parameters
auth-failed: indicates the aging-time of auth-failed blacklist. login-failed : indicates the aging-time of login-failed blacklist. minutes : specifies the aging-time of blacklist. The value is an integer ranges from 1 to 1000 in minute.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
When adding a blacklist, you can specify the aging time. The aging time is the time for the specified IP address to take effect after it is added to the blacklist. When the time for the IP address to be added to the blacklist exceeds the aging time, the IP address is released from the blacklist. If the aging time is not specified, the blacklist item is always valid.
Examples
# Setting the aging-time of blacklist to be 30 minutes.
<Eudemon> system-view [Eudemon] firewall blacklist aging-time login-failed 30
Issue 03 (2009-06-18)
3-99
3 Security Defense
Format
firewall blacklist authentication-count { auth-failed times | login-failed times } undo firewall blacklist authentication-count { auth-failed | login-failed }
Parameters
auth-failed: indicates the authentication count of auth-failed blacklist. login-failed : indicates the authentication count of login-failed blacklist. times : specifies the authentication count of blacklist. The value ranges from 1 to 5.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the authentication count of blacklist is 3.
Examples
# Set the authentication count of login-failed blacklist as 4.
<Eudemon> system-view [Eudemon] firewall blacklist authentication-count login-failed 4
Format
firewall blacklist enable [ acl-number acl-number ]
3-100 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
acl-number: specifies the number of the advanced ACL. The value is an integer ranges from 3000 to 3999.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
When the blacklist function is enabled, you can configure the ACL that can be quoted in the blacklist to filter traffic denied by the ACL. Traffic allowed by the ACL can pass through.
Examples
# Enable the blacklist function.
<Eudemon> system-view [Eudemon] firewall blacklist enable
Format
firewall blacklist item ip-address [ timeout minutes ] [ vpn-instance vpn-instance-name ] undo firewall blacklist item [ ip-address [ vpn-instance vpn-instance-name ]
Parameters
item ip-address: indicates the IP address to be added to the blacklist. timeout minutes: specifies the timeout duration. The value of minutes ranges from 1 to 1000 in minutes. vpn-instance vpn-instance-name: indicates the name of a VPN instance.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-101
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Add the IP address 202.39.1.2 to the blacklist manually, and the blacklist item is always valid.
<Eudemon> system-view [Eudemon] firewall blacklist item 202.39.1.2
Format
display firewall mac-binding { enable | item [ ip-address ] [ vpn-instance { vpn-instancename | public } ] }
Parameters
enable: displays the running of address binding. item: displays the information of an address binding entry. ip-address: indicates the IP address of the entry to be displayed. If ip-address is specified, it indicates to display the detailed information of the specified address binding entry. If ipaddress is not specified, it indicates to display the brief information of all the current address binding entries. vpn-instance-name: displays the information of all the address binding entries of a VPN instance. The value is a character string of 1 to 19 characters. If vpn-instance-name is specified, it indicates to display the information of the address binding entries of a VPN instance. public: displays the information of all address binding entries of a VPN.
Views
All views
3-102 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
1: Monitoring level
Usage Guidelines
item [ ip-address ] displays the information of address binging entries. If ip-address is not specified, it indicates to display the brief information of all the current address binding entries. If ip-address is specified, it indicates to display the detailed information of the specified blacklist binding items. enable displays the running of the address binding function. When viewing address binding, the users with different rights can see different results. For example:
l
A superuser can view all the configured address binding entries and view the address binding entries belonging to the specified VPN instance. When running the display firewall mac-binding command, a virtual user can view only the address binding entries of the VPN instance to which the virtual user belongs.
When the virtual user run the display firewall mac-binding command containing vpninstance, the firewall displays the address binding entries of the VPN instance to which the virtual user belongs. Otherwise, the prompt "Virtual configurer user can't access other VPNInstance." is displayed.
Examples
# Display the brief information of all address binding entries for a superuser.
<Eudemon> display firewall mac-binding item
# Display the information of the address binding entries of the specified vpn-instance for a superuser.
<Eudemon> display firewall mac-binding item vpn-instance public
Format
firewall mac-binding { enable | ip-address mac-address [ vpn-instance vpn-instance-name ] } undo firewall mac-binding { enable | all [ vpn-instance vpn-instance-name ] | ip-address [ vpn-instance vpn-instance-name ] }
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-103
3 Security Defense
Parameters
enable: enables the address binding function. ip-address: specifies IP addresses of an address binding pair. mac-address: specifies MAC addresses of an address binding pair. vpn-instance vpn-instance-name: configures the address binding information of the specified VPN instance. The value is a character string of 1 to 19 characters. all: indicates all address binding pairs.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Insert an address binding entry whose IP address is 192.168.10.10 and MAC address is 00e0-0000-0001.
<Eudemon> system-view [Eudemon] firewall mac-binding 192.168.10.10 00e0-0000-0001
Format
display port-mapping [ application-name | port port-number ]
3-104 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
application-name: specifies the name of the application in the port mapping. The valid application includes FTP, HTTP, H323, SMTP, RTSP and SQLNET. port port-number: specifies the port number in port mapping in a range of 0 to 65535.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display all port mapping.
<Eudemon> display port-mapping
3.10.2 port-mapping
Function
Using the port-mapping command, you can establish a mapping from a port to an application layer protocol. Using the undo port-mapping command, you can remove an item from the port-mapping.
Format
port-mapping application-name port port-number acl acl-number undo port-mapping [ application-name port port-number acl acl-number ]
Parameters
application-name: specifies the name of the application. The valid application includes FTP, HTTP, H323, SMTP, RTSP and SQLNET. port-number: specifies the number of the port in a range of 0 to 65535. acl-number: specifies the number of the basic ACL in a range of 2000 to 2999.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-105
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
The PAM supports the host port identification based on the basic ACL. The host port identification based on the basic ACL identifies the self-defined port number and application protocol creation of the packets of certain specific hosts. For example, identify the TCP packets on port 8080 of the host in the 1.1.0.0 network segment as HTTP packets. The host range is specified by the basic ACL. The same port cannot be configured with general port identification and ACL-based host port identification.
Examples
# Establish a mapping relationship between port 3456 and FTP.
<Eudemon> system-view [Eudemon] acl 2000 [Eudemon-acl-basic-2000] rule permit source 10.1.1.1 0 [Eudemon-acl-basic-2000] quit [Eudemon] port-mapping ftp port 3456 acl 2000
3.11.1 destination-nat
Function
Using the destination-nat command, you can configure the destination NAT function. Using the undo destination-nat command, you can delete the destination NAT function.
Format
destination-nat acl-number address ip-address [ port port-number ] undo destination-nat acl-number address ip-address [ port port-number ] undo destination-nat all
3-106 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
acl-number: specifies the ACL group number, in the range of 3000 to 3999. ip-address: specifies the real IP address of the WAP gateway in the form of dotted decimal notation. The IP address can only be class A, class B or class C. port-number: specifies the destination port number, in the range of 1 to 50000.
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
In the same security zone, one ACL can be bound to only one WAP gateway IP address. If you have configured the port-based NAT function, the device can translate TCP and UDP packets only. Because all packets that match an ACL will be translated, you must configure strict ACLs to translate packets only you wish to translate without disturbing other packets.
Examples
# Translate the destination IP address of the packets from IP address 10.0.0.1 to 202.1.1.2.
<Eudemon> system-view [Eudemon] acl 3333 [Eudemon-acl-adv-3333] rule permit ip source 10.0.0.1 0 [Eudemon-acl-adv-3333] quit [Eudemon] firewall zone trust [Eudemon-zone-trust] destination-nat 3333 address 202.1.1.2
Format
display nat { address-group | all | interzone | server | zone } [ vpn-instance { vpn-instancename | public } ]
Parameters
address-group: displays address groups. all: displays all information of address translation.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-107
3 Security Defense
interzone: displays information of address translation between zones. server: displays information of the internal server. zone: displays information of address translation within a zone. vpn-instance vpn-instance-name: displays the information related to the address translation of a VPN instance. The value is a character string of 1 to 19 characters. public: displays the information related to the address translation of VPN 0.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View all information of address translation.
<Eudemon> display nat all
3.11.3 nat
Function
Using the nat command, you can associate an ACL and an address pool, indicating that the address specified by acl-number can use the address pool group-number for address translation. Using the undo nat command, you can delete the corresponding address translation.
Format
nat { inbound | outbound } acl-number address-group { group-number | group-name } [ nopat ] undo nat { inbound | outbound } acl-number address-group { group-number | groupname } [ no-pat ]
Parameters
acl-number: ACL number. It is an integer in the range 2000 to 3999. group-number: Address group number. It is an integer in the range 0 to 255. group-name: Indicates the name of an group. The value ranges from 1 to 16 starting from a letter. no-pat: Uses one-to-one address translation, translating data packet address without using port information. If the no-pat parameter is not used, multiple internal addresses can be mapped to
3-108 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
the same address, that is, Network Address Port Translation (NAPT) is enabled. By default, NAPT is enabled.
Views
Interzone view
Default Level
2: Configuration level
Usage Guidelines
By configuring the association between an ACL and an address pool, you can translate the source address of the data packet in the ACL and select an address in the address pool for translation. Using the corresponding undo command, you can delete the corresponding address translation association.
Examples
# Permit address translation of the host in the 10.110.10.0/24 network segment. Select an address between 202.110.10.10 and 202.110.10.12 as the translated address.
<Eudemon> system-view [Eudemon] acl number 2001 [Eudemon-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255 [Eudemon-acl-basic-2001] quit [Eudemon] nat address-group 1 202.110.10.10 202.110.10.12 [Eudemon] firewall interzone trust untrust
Format
nat acl-number address-group { group-number | group-name } [ no-pat ] undo nat acl-numer address-group { group-number | group-name } [ no-pat ]
Parameters
acl-number: specifies the index value of the access control list. The value ranges from 2000 to 3999. group-number: specifies the number of the defined address pool. The value ranges from 0 to 255.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-109
3 Security Defense
group-name: indicates the name of an address pool. The value is a character string of 1 to 16 characters starting from a letter. no-pat: indicates the one-to-one address conversion is used; that is, only the address of the data packet is converted without using the port information. By default, the NAT-PT function is enabled.
Views
Security zone view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Configure the intrazone NAT of a security zone.
<Eudemon> system-view [Eudemon] firewall zone trust [Eudemon-zone-trust] nat 3333 address-group 1
Format
nat address-group group-number [ address-group-name ] start-address end-address [ vrrp virtual-router-id ] [ vpn-instance vpn-instance-name ] undo nat address-group { group-number | address-group-name } [ vrrp ]
Parameters
group-number: specifies the number of the address group in a range of 0 to 255. address-group-name: indicates the name of an address pool. The value ranges from 1 to 16 starting from a letter. start-address: refers to the start address in the address group. end-address: refers to the end address in the address group. vrrp virtual-router-id: specifies a VRRP back group number in a range of 1 to 255.
3-110 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
vpn-instance vpn-instance-name: indicates the name of a VPN instance. The value is a character string of 1 to 19 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
CAUTION
l
The maximum length of an address group, that is, the number of addresses in the address group, is 256. When an address group is performing address translation based on an ACL, it cannot be deleted.
An address group is a set of external IP addresses. If start-address is identical with endaddress, there is only one address in the address group. When you use the command nat address-group to configure the address of the address pool, if the vrrp parameter has been configured, the NAT address pool for the Eudemon returns the virtual MAC address of the vrrp group in the response message to the ARP request; if the vrrp parameter has not been configured, the actual MAC address of the interface is returned. The undo nat address-group command supports the parameter vrrp. Executing the command with VRRP group number, you can remove the VRRP attributes of the address pool without changing other configuration of the address pool. In future response messages to ARP requests, the actual MAC address of the interface is returned.
Examples
# Configure address-group1 with IP addresses from 202.110.10.10 to 202.110.10.15.
<Eudemon> system-view [Eudemon] nat address-group 1 202.110.10.10 202.110.10.15
Format
nat arp-gratuitous send
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-111
3 Security Defense
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
This command is used to send free ARP packets.
Examples
# Configure sending free ARP packets.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] nat arp-gratuitous send
Format
nat server [ zone [ vpn-instance vpn-instance-name ] zone-name ] global global-address inside host-address [ vrrp virtual-router-id ] [ no-reverse ] [ vpn-instance vpn-instancename ] nat server [ zone [ vpn-instance vpn-instance-name ] zone-name ] protocol protocol-type global global-address [ global-port1 ] inside host-address [ global-port2 ] [ vrrp virtual-routerid ] [ no-reverse ] [ vpn-instance vpn-instance-name ] undo nat server [ zone [ vpn-instance vpn-instance-name ] zone-name ] global global-address inside host-address undo nat server [ zone [ vpn-instance vpn-instance-name ] zone-name ] protocol protocoltype global global-address inside host-address [ vrrp virtual-router-id ] [ vpn-instance vpninstance-name ]
Parameters
global-address: refers to the IP address (a valid IP address) for the access of external hosts.
3-112 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
host-address: refers to the internal IP address of the server. protocol-type: refers to the type of the protocol over IP. The number of the protocol ranges from 1 to 255. It can also be replaced by a keyword. vrrp virtual-router-ID: indicates the ID of a VRRP backup group. The value ranges from 1 to 255. zone zone-name: vonfigures the mapping table of the internal zone-based server.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Using the nat server command, you can configure certain servers provided by internal networks for external use. The internal servers can be in common private networks, such as WWW, FTP, TELNET, POP3, and DNS. When you use the nat server command to configure internal server mapping, the Eudemon returns the virtual MAC address of the VRRP group if the vrrp parameter is configured and the client requests the external address ARP of the NAT server; the Eudemon returns the actual MAC address of the corresponding interface if the vrrp parameter is not configured. The undo nat server command does not support the vrrp parameter. You must use the undo command to delete internal server mapping and then use the nat server command containing vrrp for the configuration.
Examples
# Specify the hosts at 10.110.10.10 and 10.110.10.11 respectively to be the WWW server and FTP server for the LAN and allow the external hosts to access them respectively from http:// 202.110.10.10:8080 and ftp://202.110.10.10 is connected to FTP.
<Eudemon> system-view [Eudemon] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www [Eudemon] nat server protocol tcp global 202.110.10.10 inside 10.110.10.11 ftp
3 Security Defense
Format
add interface interface-type interface-number undo add interface interface-type interface-number
Parameters
interface-type: specifies the type of an interface. interface-number: specifies the number of an interface.
Views
Static multicast interface set view
Default Level
2: Configuration level
Usage Guidelines
After an interface is added to a static multicast interface set, packets are forwarded by all the interfaces in the static multicast interface set. By default, there is no interface in the static multicast interface set. In a static multicast interface set, there are several interfaces to forward packets of each static multicast. Interfaces that are added to the static multicast interface set can be Ethernet interfaces.
Examples
# Add the Ethernet 1/0/0 interface to statistic multicast interface set a1.
<Eudemon> system-view [Eudemon] multicast interface-set a1 [Eudemon-if-set-a1] add interface ethernet 1/0/0
3 Security Defense
Format
display multicast interface-set [ set-name ]
Parameters
set-name: specifies the name of the interface set. It is a string in a range of 1 character to 32 characters. Its initial character is among a to z or A to Z.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the information of interface set a1.
<Eudemon> display multicast interface-set a1
Format
display multicast route-table static [ source source-address [ group group-address ] ]
Parameters
source source-address: refers to the source address of multicast. group group-address: refers to the group address of multicast.
Views
All views
Default Level
1: Monitoring level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-115
3 Security Defense
Usage Guidelines
None
Examples
# Display all static multicast route entries.
<Eudemon> display multicast route-table static
Format
multicast interface-set set-name undo multicast interface-set set-name
Parameters
set-name: specifies the name of the interface set. It is a string in a range of 1 character to 32 characters. The initial character is a to z or A to Z and case insensitive.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Create the interface set named a1.
<Eudemon> system-view [Eudemon] multicast interface-set a1
3 Security Defense
Function
Using the multicast route-table static source command, you can create static route entries. Using the undo multicast route-table static source command, you can delete the specified static route entry.
Format
multicast route-table static source source-address group group-address in-interface interface-type interface-number interface-set set-name [ newsoure source-address ] undo multicast route-table static source source-address group group-address
Parameters
source source-address: refers to the source address of multicast. group group-address: refers to the group address of multicast. interface-type: refers to the inbound interface type of multicast. interface-number: refers to the inbound interface number of multicast. set-name: refers to the name of multicast interface set. It is a character string ranging from 1 character to 32 characters. newsource source-address: refers to the replaced the group address of multicast, that is, the address after NAT.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Note that:
l
Neither the original multicast source address nor the translated multicast source address can be the multicast address. The multicast group address can only be the multicast address. The multicast forward entry is stored based on (S, G), and each forward entry cannot be configured with the same (S, G). Otherwise, the Eudemon regards them as the same forward entry. As soon as the multicast forward entry is configured, you cannot modify it at will. If you need to modify the configuration, delete the entry and then re-create it.
l l
After the static multicast route entry is configured, the Eudemonforwards the packets based on the configured rules and paths.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-117
3 Security Defense
Examples
# Create a static route entry.
<Eudemon> system-view [Eudemon] multicast route-table static source 192.168.200.79 group 235.0.0.1 ininterface GigabitEthernet 0/0/1 interface-set a1 newsource 202.16.0.1
3.13.1 add
Function
Using the add command, you are not allowed to perform the "get" or "put" operation of FTP. Using the undo add command, you are allowed to perform the "get" or "put" operation of FTP.
Format
add { ftp-get | ftp-put } undo add { ftp-get | ftp-put }
Parameters
ftp-get: refers to the "get" operation of FTP. ftp-put: refers to the "put" operation of FTP.
Views
Deep inspection group view
Default Level
2: Configuration level
Usage Guidelines
By default, keyword authentication is not carried out.
Examples
# Forbid users to perform the "get" operation of FTP.
3-118 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Format
deep-inspection group group-id undo deep-inspection group group-id
Parameters
group-id: refers to the index number of a deep inspection group. It is an integer in a range of 1 to 12.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enter the deep inspection group with the index number as 1.
<Eudemon> system-view [Eudemon] deep-inspection group 1 [Eudemon-deepinspection-group-1]
3 Security Defense
Format
display deep-inspection { all | group group-id }
Parameters
all: displays the information of all deep inspection groups. group group-id: displays the specified deep inspection group.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the information of all deep inspection groups.
<Eudemon> display deep-inspection all
Format
firewall deep-inspection group-id { inbound | outbound } undo firewall deep-inspection group-id { inbound | outbound }
Parameters
group-id: refers to the index number of a deep inspection group. It is an integer in a range of 1 to 12. inbound: applies a deep inspection group at the inbound between security zones. outbound: applies a deep inspection group at the outbound between security zones.
3-120 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
Interzone view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Apply the deep inspection group whose index number is 1 at the inbound between the trust zone and the untrust zone.
<Eudemon> system-view [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] firewall deep-inspection 1 inbound
3 Security Defense
3.14.20 firewall gtp tunnel-log enable 3.14.21 gtp 3.14.22 gtp policy 3.14.23 ie-confirm enable 3.14.24 message length enable 3.14.25 reset firewall gtp statistics 3.14.26 reset firewall gtp tunnel all 3.14.27 reset rule counter 3.14.28 rule (ACL configuration view for GTP policy) 3.14.29 step (ACL configuration view for GTP policy)
3.14.1 acl
Function
Using the acl command, you can enter the ACL configuration view of a GTP policy.
Format
acl
Parameters
None
Views
GTP policy view
Default Level
2: Configuration level
Usage Guidelines
When you must specify the data streams for GTP filter, you can enter the ACL view of a GTP policy to perform the corresponding configuration.
Examples
# Enter the ACL configuration view of GTP policy. Configure the corresponding ACL rule.
<Eudemon> system-view [Eudemon] gtp policy gtp1 [Eudemon-gtp-gtp1] acl [Eudemon-gtp-gtp1-acl] rule permit all
3-122
Issue 03 (2009-06-18)
3 Security Defense
Format
debugging gtp { all | decode | error | gtpc | gtphrp | gtplog | gtpstat | gtpu | safebill }
Parameters
all: displays all debugging information, including decode, error, gtpc, gtphrp, gtplog, gtpstat, and gtpu. decode: displays the debugging information (including the error information) during decoding. error: displays the debugging information when the GTP module has an error. gtpc: displays the debugging information (including the error information) during GTP processing. gtphrp: displays the debugging information for GTP hot backup. gtplog: displays the debugging information for GTP logs. gtpstat: displays the debugging information for GTP statistics. gtpu: displays the debugging information of GTP data. safebill: displays the debugging information of the charging overflow attack defense module.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Enable GTP debugging.
<Eudemon> debugging gtp all
Table 3-5 shows the description of the debugging gtp all command output.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-123
3 Security Defense
Table 3-5 Description of the debugging gtp all command output Field CREATE_PDP_CONTEXT_R EQ message ie check success! GTP decode success! Gtp process begin! Gtp process success! Description The IE check for creating a PDP context request is successful. GTP decoding is successful. GTP processing is started. GTP processing is successful.
Format
debugging gtp safebill undo debugging gtp safebill
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enable the function of debugging the charging overflow attack defense module on the Eudemon.
<Eudemon> debugging gtp safebill
3-124
Issue 03 (2009-06-18)
3 Security Defense
Format
display firewall gtp mcc
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the bit number of the MNC corresponding to the specified MCC.
<Eudemon> display firewall gtp mcc MCC MNC Bits 123 3
Table 3-6 Description of the display firewall gtp mcc command output Item MCC MNC Bits Description Mobile country code. It is composed of three digits. It uniquely identifies the country of a mobile subscriber, for example, 460 for China. Mobile network code. It is composed of two or three digits. It identifies the mobile communication network of a mobile subscriber.
3 Security Defense
Function
Using the display firewall gtp policy command, you can view the specified GTP policy.
Format
display firewall gtp policy policy-name
Parameters
policy-name: indicates the name of a GTP packet filter policy. The value is a character string of 1 to 10 characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the information of GTP policy gtp1.
<Eudemon> display firewall policy gtp1 total 0 rules acl's step is 5
Format
display firewall gtp safebill { client-info | config-info }
Parameters
client-info: If the Eudemon serves as the server, you can use the function to view the terminal connecting to the Eudemon. config-info: Views the configurations related to charging overflow attack defense on the Eudemon.
3-126 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# View the configurations of charging overflow attack defense on the current Eudemon.
<Eudemon> system-view [Eudemon] display firewall gtp safebill config-info
Format
display firewall gtp statistics [ discard | receive ] [ v0 | v1 | other ]
Parameters
discard: displays the number of discarded packets. receive: displays the number of received packets. other: displays the number of the packets in addition to V0 and V1 packets. v0: displays the number of V0 packets. v1: displays the number of V1 packets.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-127
3 Security Defense
Examples
# Display the GTP statistics information.
<Eudemon> display firewall gtp statistics Firewall system gtp statistic information receive v0 gtpc packets discard v0 gtpc packets receive v1 gtpc packets discard v1 gtpc packets receive v0 gtpu packets discard v0 gtpu packets receive v1 gtpu packets discard v1 gtpu packets receive gtp v0 packets discard gtp v0 packets receive gtp v1 packets discard gtp v1 packets receive gtp'packets discard gtp'packets receive unknown version packets discard unknown version packets receive unknown message packets discard unknown message packets receive v0 echo request packets discard v0 echo request packets receive v1 echo request packets discard v1 echo request packets receive v0 echo response packets discard v0 echo response packets receive v1 echo response packets discard v1 echo response packets receive v0 create-pdp-request packets discard v0 create-pdp-request packets receive v1 create-pdp-request packets discard v1 create-pdp-request packets receive v1 second create-pdp-request packets discard v1 second create-pdp-request packets receive v0 create-pdp-response packets discard v0 create-pdp-response packets receive v1 create-pdp-response packets discard v1 create-pdp-response packets receive v0 update-pdp-request packets discard v0 update-pdp-request packets receive right v1 sntogn update-pdp-request packets discard v1 update-pdp-request packets receive right v1 gntosn update-pdp-request packets receive v0 update-pdp-response packets discard v0 update-pdp-response packets receive v1 gntosn update-pdp-response packets discard v1 gntosn update-pdp-response packets receive v1 sntogn update-pdp-response packets discard v1 sntogn update-pdp-response packets receive v0 delete-pdp-request packets discard v0 delete-pdp-request packets receive v1 delete-pdp-request packets discard v1 delete-pdp-request packets receive v0 delete-pdp-response packets discard v0 delete-pdp-response packets receive v1 delete-pdp-response packets discard v1 delete-pdp-response packets receive v0 error indication packets discard v0 error indication packets receive v1 error indication packets discard v1 error indication packets receive total gtpc packets receive total gtpu packets discard total gtpc packets discard total gtpu packets
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3-128
Issue 03 (2009-06-18)
3 Security Defense
0 0 0 0 0 0 0
Table 3-7 shows the description of the display firewall gtp statistics command output. Table 3-7 Description of the display firewall gtp statistics command output Item v0 gtpc v1 gtpc v0 gtpu v1 gtpu gtp v0 gtp v1 gtp' unknown version unknown message echo request echo response create-pdp-request create-pdp-response Second create-pdp-request update-pdp-request update-pdp-response delete-pdp-request delete-pdp-response error indication gtpc gtpu message length serial number Description gtpc message in GTP V0 gtpc message in GTP V1 gtpu message in GTP V0 gtpu message in GTP V1 Message in GTP V0 Message in GTP V1 GTP's message Message in an unknown version Message of unknown type Echo request Echo response Request of creating a context Response to creating a context Secondly activated request of creating a context Request of updating a context Response to updating a context Request of deleting a context Response to deleting a context Fault indication GTPC message and the value is equal to the sum of v0 gtpc and v1 gtpc statistics values. GTPU message and the value is equal to the sum of v0 gtpu and v1 gtpu statistics values. Packet discarded because of the too long message length Packet discarded because of a serial number error
Issue 03 (2009-06-18)
3-129
3 Security Defense
Description Packet discarded because of a version error Packet discarded because of a message type error Packet discarded because of an IE version error Packet discarded because of a state error Packet discarded because of the tunnel rate
Format
display firewall gtp tunnel [ apn apn-name | counter | destination-ip ip-address | imsi imsimccmnc | msisdn msisdn-name | rai rai-mccmnc | source-ip ip-address | teid teid | tid tidname ]
Parameters
apn apn-name: indicates the name of an access point. The value is a character string of 1 to 63 characters. counter: displays the number of tunnels in the current Eudemon. destination-ip ip-address: indicates the destination IP address of a tunnel. The value is in dotteddecimal format. imsi imsi-mccmnc: specifies the IMSI prefix. The value is a character string of 5 to 6 characters. msisdn msisdn-name: indicates the name of MSISDN. The value is a character string of 1 to 15 characters. rai rai-mccmnc: specifies the RAI prefix. The value is a character string of 5 to 6 characters. source-ip ip-address: indicates the source IP address of a tunnel. The value is in dotted-decimal format. teid teid: indicates the ID of a tunnel in V1.It is an integer in the range of 0 to 4294967295. tid tid-name: indicates the ID of a tunnel in V0. The value is a character string of 16 characters.
Views
All views
3-130 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Checking GTP tunnel information.
<Eudemon> display firewall gtp tunnel
Table 3-8 shows the description of the display firewall gtp tunnel command output. Table 3-8 Description of the display firewall gtp tunnel command output Item version current message value sgsn sign address ggsn sign address sgsn data address ggsn data address sgsn sign flow id ggsn sign flow id sgsn data flow id ggsn data flow id sequence number imsi nsapi rai apn msisdn TTL left Description Version of a tunnel message in V0 or V1 ID value of the tunnel management information Signaling packet address on the SGSN Signaling packet address on the GGSN Data packet address on the SGSN Data packet address on the GGSN Signaling tunnel ID on the SGSN Signaling tunnel ID on the GGSN Data tunnel ID on the SGSN Data tunnel ID on the GGSN Serial number of a tunnel packet IMSI prefix ID of a network service access point RAI prefix Name of an access point Name of MSISDN Aging time Left TTL of a tunnel
3 Security Defense
Function
Using the filter message-type command, you can configure the filter of GTP and GTP's messages. The Eudemon filters the GTP packets matching the specified message type. Using the undo filter message-type command, you can cancel configuring the filter of GTP and GTP's messages.
Format
filter message-type { all | gtp' | unknown { message | version-number | version-type } | { v0 [ create-aa-pdp-context-request | create-aa-pdp-context-response | create-pdpcontext-request | create-pdp-context-response | delete-aa-pdp-context-requset | delete-aapap-context-response | delete-pdp-context-requset | delete-pdp-context-response | echorequest | echo-response | error-indication | failure-report-request | failure-reportresponse | g-pdu | identification-request | identification-response | note-ms-gprs-presentrequest | note-ms-gprs-present-response | pdu-notification-reject-request | pdunotification-reject-response | pdu-notification-request | pdu-notification-response | sendroute-request | send-route-response | sgsn-context-acknowledge | sgsn-context-request | sgsn-context-response | update-pdp-context-request | update-pdp-context-response | version-not-supported ] | v1 [ create-pdp-context-request | create-pdp-context-response | delete-pdp-context-requset | delete-pdp-context-response | echo-request | echo-response | error-indication | failure-report-request | failure-report-response | fwd-relocationcomplete | fwd-relocation-complete-acknowledge | fwd-relocation-request | fwdrelocation-response | fwd-srns-context | fwd-srns-context-acknowledge | g-pdu | identification-request | identification-response | note-ms-gprs-present-request | note-msgprs-present-response | pdu-notification-reject-request | pdu-notification-reject-response | pdu-notification-request | pdu-notification-response | relocation-cancel-request | relocation-cancel-response | send-route-request | send-route-response | sgsn-contextacknowledge | sgsn-context-request | sgsn-context-response | supported-extension-headersnotification | update-pdp-context-request | update-pdp-context-response | version-notsupported ] } } undo filter message-type { all | gtp' | unknown { message | version-number | versiontype } | { v0 [ create-aa-pdp-context-request | create-aa-pdp-context-response | create-pdpcontext-request | create-pdp-context-response | delete-aa-pdp-context-requset | delete-aapap-context-response | delete-pdp-context-requset | delete-pdp-context-response | echorequest | echo-response | error-indication | failure-report-request | failure-reportresponse | g-pdu | identification-request | identification-response | note-ms-gprs-presentrequest | note-ms-gprs-present-response | pdu-notification-reject-request | pdunotification-reject-response | pdu-notification-request | pdu-notification-response | sendroute-request | send-route-response | sgsn-context-acknowledge | sgsn-context-request | sgsn-context-response | update-pdp-context-request | update-pdp-context-response | version-not-supported ] | v1 [ create-pdp-context-request | create-pdp-context-response | delete-pdp-context-requset | delete-pdp-context-response | echo-request | echo-response | error-indication | failure-report-request | failure-report-response | fwd-relocationcomplete | fwd-relocation-complete-acknowledge | fwd-relocation-request | fwdrelocation-response | fwd-srns-context | fwd-srns-context-acknowledge | g-pdu | identification-request | identification-response | note-ms-gprs-present-request | note-msgprs-present-response | pdu-notification-reject-request | pdu-notification-reject-response | pdu-notification-request | pdu-notification-response | relocation-cancel-request | relocation-cancel-response | send-route-request | send-route-response | sgsn-contextacknowledge | sgsn-context-request | sgsn-context-response | supported-extension-headers3-132 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
all: indicates all messages. gtp': indicates all GTP' messages. unknown: indicates the messages that cannot be identified. message: indicates the type of a message . version-number: indicates the version number. v0: indicates that the version number of a GTP message is GTP V0. v1: indicates that the version number of a GTP message is GTP V1. create-aa-pdp-context-request: indicates to access a request of creating a PDP context with an anonymous user. create-aa-pdp-context-response: indicates to access a response to creating a PDP context with an anonymous user. delete-aa-pdp-context-request: indicates to access a request of deleting a PDP context with an anonymous user. delete-aa-pdp-context-response: indicates to access a response to deleting a PDP context with an anonymous user. create-pdp-context-request: indicates the request of creating a PDP context. create-pdp-context-response: indicates the response to creating a PDP context. delete-pdp-context-request: indicates the request of deleting a PDP context. delete-pdp-context-response: indicates the response to deleting a PDP context. echo-request: indicates an echo request. echo-response: indicates an echo response. error-indication: indicates the error indication. failure-report-request: indicates a failure report request. failure-report-response: indicates a failure report response. g-pdu: indicates a GTP packet data unit that is transmitted on a tunnel. A G-PDU packet is composed of T-PDU and the GTP packet header. T-PDU indicates the original packet. It is the payload of a GTP tunnel packet if it is from an IP packet from the MS or the external packet data network node. identification-request: indicates an identification request. identification-response: indicates an identification response. note-ms-gprs-present-request: notifies the MS of a GPRS present request. note-ms-gprs-present-response: notifies the MS of a GPRS present response. pdu-notification-reject-request: indicates a PDU notification rejection request.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-133
3 Security Defense
pdu-notification-reject-response: indicates a PDU notification rejection response. pdu-notification-request: indicates a PDU notification request. pdu-notification-response: indicates a PDU notification response. send-route-request: sends the routing information for a GPRS request. send-route-response: sends the routing information for a GPRS response. sgsn-context-acknowledge: indicates the acknowledge of an SGSN context. sgsn-context-request: indicates an SGSN context request. sgsn-context-response: indicates an SGSN context response. update-pdp-context-request: indicates the request of updating a PDP context. update-pdp-context-response: indicates the response to updating a PDP context. version-not-supported: indicates that the version does not support the packet.
Views
GTP policy view
Default Level
2: Configuration level
Usage Guidelines
The Eudemon supports R97 GTP (V0) and R99 GTP (V1) packets. By default, the Eudemon supports both V0 and V1 packets. The filter type of the GTP packets in V0 supported by the Eudemon is the same as that in V1 supported by the Eudemon. The packet types are as follows:
l l l l l l l l l l
create-pdp-context-request create-pdp-context-response delete-pdp-context-request delete-pdp-context-response echo-request echo-response error-indication g-pdu update-pdp-context-request update-pdp-context-response
NOTE
Many command parameters are available. Therefore, it is recommended that you configure the parameters in the letter sequence when you use the filter message-type or undo filter message-type command.
3-134
Issue 03 (2009-06-18)
3 Security Defense
Examples
# Configure the filter of create-pdp-context-request messages in V0.
<Eudemon> system-view [Eudemon] gtp policy gtp1 [Eudemon-gtp-gtp1] filter message-type v0 create-pdp-context-request
Format
firewall gtp aging-time value undo firewall gtp aging-time
Parameters
value: specifies the aging time of GTP tunnels. The value ranges from 1 to 65535 and is expressed in seconds. The default value is 3600.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
This command is used to set the aging time of GTP tunnels. The default aging time is 3600 seconds.
Examples
# Set the aging time of GTP tunnels to 65535s.
<Eudemon> system-view [Eudemon] firewall gtp aging-time 65535
3 Security Defense
Using the undo firewall gtp gtpingtp-deny enable command, you can cancecl the above configuration..
Format
firewall gtp gtpingtp-deny enable user-name vpn-instance vpn-instance-name undo firewall gtp gtpingtp-deny enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the GTP in GTP packets are discarded.
Examples
# Set the discarding of GTP in GTP packets.
<Eudemon> system-view [Eudemon] undo firewall gtp gtpingtp-deny enable
Format
firewall gtp limit { rate { control | exheader-notify-msg } rate-value | tunnel tunnelnumber } undo firewall gtp limit { rate { control | exheader-notify-msg } | trunnel }
Parameters
control: restricts the rate of a signaling tunnel. exheader-notify-msg: restricts the rate of a supported extension-header notification message.
3-136 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
rate-value: indicates the rate value of a GTP tunnel packet. The value ranges from 1 to 4000 in packets/second. The default value is 1000 packets/second. tunnel-number: indicates the maximum number of GTP tunnels supported by the Eudemon. The value ranges from 1 to 2000000. The default value is 100000.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the rate of a Eudemon control channel to 300.
<Eudemon> system-view [Eudemon] firewall gtp limit rate control 300
Format
firewall gtp mcc mcc-value mnc { three | two } undo firewall gtp mcc mcc-value
Parameters
mcc mcc-value: indicates the mobile country code. It is composed of three decimal digits. It uniquely identifies the country of a mobile subscriber, for example, 460 for China. mnc: indicates the mobile network code. It is composed of two or three digits. It identifies the mobile communication network of a mobile subscriber. three: indicates that the bit number of MNC is three. two: indicates that the bit number of MNC is two.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-137
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The MCC and MNC fields are available in the IMSI and RAI IE. During decoding, the Eudemon determines the bit number of the MNC according to the MCC. You can manually specify the bit number of MNC. By default, the bit number of MNC is two.
Examples
# Set the bit number of MNC to three.
<Eudemon> system-view [Eudemon] firewall gtp mcc 123 mnc three
Format
firewall gtp state-check enable undo firewall gtp state-check enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After establishing a GTP tunnel with the peer GSN equipment, the Eudemon filters GTP packets to ensure the security of the sessions between communication parties. By default, GTAP state check of the Eudemon is disabled.
3-138 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Enable GTP state check.
<Eudemon> system-view [Eudemon] firewall gtp state-check enable
Format
firewall gtp statistics enable undo firewall gtp statistics enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, GTP statistics of the Eudemon is disabled.
Examples
# Enable GTP statistics.
<Eudemon> system-view [Eudemon] firewall gtp statistics enable
3 Security Defense
Format
firewall gtp safebill location { gi | gn } undo firewall gtp safebill location
Parameters
gi: specifies that the Eudemon works on the Gi interface. gn: specifies that the Eudemon works on the Gn interface.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
You need to configure the command before configuring the module for charging overflow attack defense.
Examples
# Configure that the Eudemon works on the Gi interface.
<Eudemon> system-view [Eudemon] firewall gtp safebill location gi
Format
firewall gtp safebill id id undo firewall gtp safebill id
Parameters
id: sets the ID of the charging overflow attack defense module on the Eudemon. It is an integer in the range of 1 to 50.
3-140 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The Eudemons that cooperate with each other on the Gi interface and the Gn interface must be configured with the same ID.
Examples
# Configure the ID of the charging overflow attack defense module on the Eudemon to 10.
<Eudemon> system-view [Eudemon] firewall gtp safebill id 10
Format
firewall gtp safebill enable undo firewall gtp safebill enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
If you enable the charging overflow attack defense function, the command checks the current configurations. Therefore, you need to enable the function after setting the working mode, ID, and cooperation IP address.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-141
3 Security Defense
Before enabling the charging overflow attack defense module on the Eudemon, you need to set the working mode of the Eudemon and the ID of the charging overflow attack defense module.
Examples
# Enable the charging overflow attack defense module on the Eudemon.
<Eudemon> system-view [Eudemon] firewall gtp safebill enable
Format
firewall gtp safebill serverip ip-address undo firewall gtp safebill serverip
Parameters
ip-address: indicates the IP address of the Eudemon on the peer Gi interface.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the IP address of the Eudemon on the peer Gi interface to 40.1.1.1.
<Eudemon> system-view [Eudemon] firewall gtp safebill serverip 40.1.1.1
3 Security Defense
Function
Using the firewall gtp tunnel-log enable command, you can enable the log function of GTP tunnels. Using the undo firewall gtp tunnel-log enable command, you can disable the log function of GTP tunnels.
Format
firewall gtp tunnel-log enable undo firewall gtp tunnel-log enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enable the log function of GTP tunnels.
<Eudemon> system-view [Eudemon] firewall gtp tunnel-log enable
3.14.21 gtp
Function
Using the gtp command, you can enable the application of the GTP policy between security zones. After the GTP policy is applied, the Eudemon can perform GTP detection, control, and filter for interzone packets. Using the undo gtp command, you can disable the application of the GTP policy between security zones.
Format
gtp policy-name { inbound | outbound } undo gtp policy-name { inbound | outbound }
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-143
3 Security Defense
Parameters
policy-name: indicates the name of a GTP policy. The value is a character string of 1 to 10 characters. inbound: configures the application GTP policy in the inbound direction. outbound: configures the application GTP policy in the outbound direction.
Views
Interzone view
Default Level
2: Configuration level
Usage Guidelines
By default, the GTP policy is not applied between security zones.
Examples
# Apply the GTP policy in the inbound direction between the trust and untrust zones.
<Eudemon> system-view [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] gtp gtp1 inbound
Format
gtp policy policy-name undo gtp policy policy-name
Parameters
policy-name: indicates the name of a GTP policy. The value is a character string of 1 to 10 characters.
Views
System view
3-144 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
A maximum of 32 GTP policies can be configured.
Examples
# Create the policy with the name as gtp1 and enter the view.
<Eudemon> system-view [Eudemon] gtp policy gtp1 [Eudemon-gtp-gtp1]
Format
ie-confirm enable ie-confirm enable create-pdp-context-request { v0 { private-extend | proto-config-option | rai | recovery } | v1 { first { charge-charact | omc-iden | private-extend | proto-configoption | rai | recovery | tft | trace-reference | trace-type | trigger-id } | secondary { chargecharact | control-teid | omc-iden | private-extend | rai | recovery | tft | tracereference | trace-type | trigger-id } } } ie-confirm enable create-pdp-context-response { v0 { charge-id | private-extend | protoconfig-option | recovery } | v1 { charge-gate-addr | charge-id | private-extend | protoconfig-option | recovery } } ie-confirm enable delete-pdp-context-request { v0 private-extend | v1 { private-extend | teardown } } ie-confirm enable delete-pdp-context-response { v0 | v1 } private-extend ie-confirm enable pdu-notification-request { v0 | v1 } private-extend ie-confirm enable pdu-notification-response{ v0 | v1 } private-extend ie-confirm enable pdu-notification-reject-request { v0 | v1 } private-extend ie-confirm enable pdu-notification-reject-response { v0 | v1 } private-extend ie-confirm enable sgsn-context-acknowledge { v0 | v1 } private-extend ie-confirm enable sgsn-context-request { v0 flow-label-sign | imsi | ms-valid | p-tmsi-sign private-extend } | { v1 imsi | ms-valid | p-tmsi | p-tmsi-sign | private-extend | tlli }
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-145
3 Security Defense
ie-confirm enable sgsn-context-response { v0 { pdp-context | private-extend } } | { v1 { charge-charact | packet-flow-id | pdp-context | private-extend | rab-context | radio-prio | radio-prio-sms } } ie-confirm enable update-pdp-context-request v0 { private-extend | rai | recovery } | v1 { ggsn-to-sgsn { end-user-addr | private-extend | qos-profile | recovery } | sgsn-to-ggsn { control-teid | imsi | omc-iden | private-extend | rai | recovery | tft | trace-reference | tracetype | trigger-id } } ie-confirm enable update-pdp-context-response v0 { private-extend | charge-gate-addr | recovery } | v1 { ggsn-to-sgsn { charge-gate-addr | charge-id | control-teid | data-i-teid | private-extend | recovery | sign-ggsn-addr | user-ggsn-addr } | sgsn-to-ggsn { privateextend | recovery } } undo ie-confirm enable undo ie-confirm enable create-pdp-context-request { v0 { private-extend | proto-configoption | rai | recovery } | v1 { first { charge-charact | omc-iden | private-extend | protoconfig-option | rai | recovery | tft | trace-reference | trace-type | trigger-id } | secondary { chargecharact | control-teid | omc-iden | private-extend | rai | recovery | tft | tracereference | trace-type | trigger-id } } } undo ie-confirm enable create-pdp-context-response { v0 { charge-id | private-extend | protoconfig-option | recovery } | v1 { charge-gate-addr | charge-id | private-extend | protoconfig-option | recovery } } undo ie-confirm enable delete-pdp-context-request { v0 private-extend | v1 { privateextend | teardown } } undo ie-confirm enable delete-pdp-context-response { v0 | v1 } private-extend undo ie-confirm enable pdu-notification-request { v0 | v1 } private-extend undo ie-confirm enable pdu-notification-response{ v0 | v1 } private-extend undo ie-confirm enable pdu-notification-reject-request { v0 | v1 } private-extend undo ie-confirm enable pdu-notification-reject-response { v0 | v1 } private-extend undo ie-confirm enable sgsn-context-acknowledge { v0 | v1 } private-extend undo ie-confirm enable sgsn-context-request { v0 flow-label-sign | imsi | ms-valid | p-tmsisign private-extend } | { v1 imsi | ms-valid | p-tmsi | p-tmsi-sign | private-extend | tlli } undo ie-confirm enable sgsn-context-response { v0 { pdp-context | private-extend } } | { v1 { charge-charact | packet-flow-id | pdp-context | private-extend | rab-context | radioprio | radio-prio-sms } } undo ie-confirm enable update-pdp-context-request v0 { private-extend | rai | recovery } | v1 { ggsn-to-sgsn { end-user-addr | private-extend | qos-profile | recovery } | sgsn-to-ggsn { control-teid | imsi | omc-iden | private-extend | rai | recovery | tft | trace-reference | tracetype | trigger-id } } undo ie-confirm enable update-pdp-context-response v0 { private-extend | charge-gateaddr | recovery } | v1 { ggsn-to-sgsn { charge-gate-addr | charge-id | control-teid | data-iteid | private-extend | recovery | sign-ggsn-addr | user-ggsn-addr } | sgsn-to-ggsn { privateextend | recovery } }
3-146 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
create-pdp-context-request: indicates the request of creating a PDP context. create-pdp-context-response: indicates the response to creating a PDP context. delete-pdp-context-request: indicates the request of deleting a PDP context. delete-pdp-context-response: indicates the response to deleting a PDP context. v0: indicates R97 GTP. The IE in V0 includes:
l l l l l l l l l l
rai: routing area identifier (3) recovery: recovery (14) charge-id: charging ID (127) flow-label-sign: control data identity (17) imsi: international mobile subscriber identity (2) ms-valid: MS validity pdp-context: PDP context (130) proto-config-option: protocol configuration option (132) charge-gate-addr: charging gateway address (251) private-extend: private extension (255)
imsi: international mobile subscriber identity (2) rai: routing area identifier (3) recovery: recovery (14) control-teid: control data (I) TEID (17) teardown: canceling identify (19) charge-charact: charging character (26) trace-reference: tracing reference (27) trace-type: tracing type (28) charge-id: charging ID (127) proto-config-option: protocol configuration option (132) tft: traffic flow template (TFT) (137) trigger-id: trigger ID (142) omc-iden: OMC identifier (143) charge-gate-addr: charging gateway address (251) private-extend: private extension (255) first: in create-pdp-request of GTP V1 and means the first-time activation packet. secondary: in create-pdp-request of GTP V1 and means the second-time activation packet.
NOTE
For details on the IE meanings and the structure, refer to the GTP standard document.
Issue 03 (2009-06-18)
3-147
3 Security Defense
Views
GTP policy view
Default Level
2: Configuration level
Usage Guidelines
After you have configured detection for mandatory IE, the mandatory IE must be included in the packet, otherwise, the packet will be discarded by the Eudemon. By default, the Eudemon does not check the IE in the GTP message body.
NOTE
Many command parameters are available. Therefore, it is recommended that you configure the parameters in the letter sequence when you use the ie-confirm enable or undo ie-confirm enable command.
Examples
# Enable mandatory IE check in the GTP message body and configure the routing area identifier of a create-pdp-request packet.
<Eudemon> system-view [Eudemon] gtp policy gtp1 [Eudemon-gtp-gtp1] ie-confirm enable [Eudemon-gtp-gtp1] ie-confirm enable create-pdp-context-request v0 rai
Format
message-length enable min min-length max max-length undo message-length enable
Parameters
min min-length: indicates the minimum length of a GTP message. The value ranges from 0 to 1452 in bytes. The default value is 0 bytes. max max-length: indicates the maximum length of a GTP message. The value ranges from 0 to 1452 in bytes. The default value is 1452 bytes.
3-148 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
GTP policy view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the minimum and maximum lengths of the GTP packets supported by the Eudemon.
<Eudemon> system-view [Eudemon] gtp policy gtp1 [Eudemon-gtp-gtp1] message-length enable min 0 max 1000
Format
reset firewall gtp statistics
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Clear all GTP statistics information.
<Eudemon> reset firewall gtp statistics
3 Security Defense
Function
Using the reset firewall gtp tunnel all command, you can delete all GTP tunnels.
Format
reset firewall gtp tunnel all
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Delete all the current GTP tunnels.
<Eudemon> reset firewall gtp tunnel all
Format
reset rule counter
Parameters
None
Views
ACL configuration view for GTP policy
Default Level
2: Configuration level
3-150 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
When you want to view the count of ACL rule hits for GTP policy, it is recommended that you clear the count information of ACL rule hits, and then use the display gtp policy command for view.
Examples
# Delete the count of ACL rule hits for GTP policy.
<Eudemon> system-view [Eudemon] gtp policy gtp1 [Eudemon-gtp-gtp1] acl [Eudemon-gtp-gtp1-acl] reset rule counter
Format
rule [ rule-id ] { permit | deny } { all | [ imsi mcc-mnc { mcc-mnc-value | any } | rai mccmnc { mcc-mnc-value | any } ] [ apn { name apn-name [ selection { ms | net | ver } ] | any } ] | msisdn { name msisdn-name | any } } undo rule { rule-id | all }
Parameters
rule-id: indicates the ID of an ACL rule. It is an integer in the range of 0 to 5000. If rule-id is not specified, the Eudemon automatically generates the value. permit: permits the pass. deny: rejects the pass. all: indicates all types. apn-name: indicates the name of an access point. The value is a character string of 1 to 63 characters. selection: indicates the selection mode. ms: indicates that the MS provides the APN but does not subscribe to check. net: indicates that the network provides the APN but does not subscribe to check. ver: indicates that the MS or the network provides the APN and subscribes to check. any: indicates all IMSI prefixes or APNs. imsi: indicates the international mobile subscriber identity.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-151
3 Security Defense
mcc-mnc-value: indicates the value of an IMSI or RAI prefix. The value is a character string of 5 to 6 characters. It supports the wildcard * . msisdn-name: indicates the name of MSISDN. The value is a character string of 1 to 15 characters. It supports the wildcard * . rai: indicates the routing area identifier.
Views
ACL configuration view for GTP policy
Default Level
2: Configuration level
Usage Guidelines
The usage of rule in the command is the same as that in the ACL. According to the specified rule-id, you can modify and add rules. The Eudemon matches rule-id in the sequence from small to big. If the matching is successful, the Eudemon returns and does not perform the subsequent matching. According to the matching rules, the Eudemon permits or denies all successfully matched packets. The packets that do not match successfully are passed by default.
Examples
# Configure the ACL rules for GTP policy.
<Eudemon> system-view [Eudemon] gtp policy gtp1 [Eudemon-gtp-gtp1] acl [Eudemon-gtp-gtp1-acl] rule 0 permit apn any [Eudemon-gtp-gtp1-acl] rule 1 permit rai mcc-mnc any
Format
step step-value
Parameters
step-value: Sets the value of the ACL step. The value ranges from 1 to 20.
Views
ACL configuration view for GTP policy
3-152 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
The advantage of using a step is to facilitate the insertion of new sub-rules. For example, four rules with the numbers of 5, 10, 15, and 20 are configured. In this case, if you want to insert a rule after the first rule, you can use the rule 6 xxxx command to insert a sub-rule whose number is 6 between number 5 and number 10.
Examples
# Modify the ACL step for GTP policy to 2.
<Eudemon> system-view [Eudemon] gtp policy gtp1 [Eudemon-gtp-gtp1] acl [Eudemon-gtp-gtp1-acl] step 2
Format
debugging firewall ids undo debugging firewall ids
Parameters
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-153
3 Security Defense
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the debugging of the external IDS function is disabled.
Examples
# Enable external IDS debugging.
<Eudemon> debugging firewall ids
Format
display firewall ids
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The associated settings of IDS on the Eudemon are as follows:
l l l l
3-154
3 Security Defense
Examples
# Display the associated settings of external IDS on the Eudemon.
<Eudemon> display firewall ids Firewall IDS information: firewall IDS: enable debug flag: off server port: 40000 authentication type: vip authentication string: client address 0: 169.254.1.10
Format
firewall ids authentication type { md5 [ key key-string1 ] | none } undo firewall ids authentication
Parameters
md5: applies MD5 packet authentication. none: does not carry out authentication on packets. key key-string: specifies the unencrypted key, represented by character string with 1 to 16 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the packet authentication is not performed for the external IDS server, that is, the none mode is used.
Examples
# Apply MD5 packet authentication between the Eudemon and the third-party IDS server.
<Eudemon> system-view [Eudemon] firewall ids authentication type md5 key vip
Issue 03 (2009-06-18)
3-155
3 Security Defense
Format
firewall ids enable undo firewall ids enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, external IDS is disabled. The Eudemon connects with a third-party IDS server, which performs intrusion detection analysis for the Eudemon, and filters packets according to the analysis result.
NOTE
You should configure the IP address and packet authentication for the IDS server before enabling external IDS.
Examples
# Enable the external third-party IDS of the Eudemon.
<Eudemon> system-view [Eudemon] firewall ids enable Succeed to start ids server.
3 Security Defense
Format
firewall ids port port-number undo firewall ids port
Parameters
port port-number: specifies the number of the port in a range of 2048 to 50000. The default value is 40000.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the Eudemon communicates with the external IDS server via port 40000.
Examples
# Configure the third-party IDS server at 202.169.100.1 and set the port number to 40000.
<Eudemon> system-view [Eudemon] firewall ids server 202.169.100.1 [Eudemon] firewall ids port 40000
Format
firewall ids server ip-address undo firewall ids server [ ip-address ]
Parameters
ip-address: refers to the IP address of the external IDS server, in the format of dotted decimal.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-157
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, no IP address is assigned for the external IDS server.
Examples
# Configure the third-party IDS server at 202.169.100.1.
<Eudemon> system-view [Eudemon] firewall ids server 202.169.100.1
3.16.1 aaa
Function
Using the aaa command, you can enter AAA view and enable AAA.
Format
aaa
3-158 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enter AAA view.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa]
Format
accounting-scheme scheme-name undo accounting-scheme scheme-name
Parameters
scheme-name: specifies the name of an accounting scheme, a string of 1 to 32 characters, case insensitive, following the naming criterion of Windows, that is, excluding such characters as \, /, :, *, ?, ", <, and >.
Views
AAA view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-159
3 Security Defense
Usage Guidelines
If the homonymous accounting scheme exists, the accounting scheme view is displayed directly. The system supports 128 accounting schemes at most. Moreover, the system has a default scheme, which cannot be deleted but can be modified.
Examples
# Add an accounting scheme with the name newscheme.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] accounting-scheme newscheme [Eudemon-aaa-accounting-newscheme]
3.16.3 accounting-mode
Function
Using the accounting-mode command, you can configure the accounting mode being used by the current accounting scheme.
Format
accounting-mode { radius | none | hwtacacs }
Parameters
none: does not conduct accounting. radius: uses the RADIUS server for accounting. hwtacacs: accounting in hwtacacs.
Views
Accounting scheme view
Default Level
2: Configuration level
Usage Guidelines
By default, no accounting is conducted on login users.
Examples
# The RADIUS accounting mode is applied to scheme1.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] accounting-shceme scheme1 [Eudemon-aaa-accounting-scheme1] accounting-mode radius
3-160
Issue 03 (2009-06-18)
3 Security Defense
Format
authentication-mode { hwtacacs | radius | local } * [ none ]
Parameters
hwtacacs: authenticats in hwtacacs. radius: authenticates through a RADIUS server. local: authenticates at local. none: refers to that users can pass directly without being authenticated.
Views
Authentication scheme view
Default Level
2: Configuration level
Usage Guidelines
By default, the authentication mode is local. If multiple authentication modes are set to an authentication scheme, the execution order of them is based on the configuration sequence and the authentication in none mode must be the last one adopted.
Examples
# Set the authentication scheme scheme1 to adopt the local authentication.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] authentication-scheme scheme1 [Eudemon-aaa-authen-scheme1] authentication-mode local
3 Security Defense
Using the undo authentication-scheme command, you can delete an existing authentication scheme that is not used by any domain.
Format
authentication-scheme scheme-name undo authentication-scheme scheme-name
Parameters
scheme-name: specifies the name of an authentication scheme, a string of 1 to 32 characters, case insensitive, following the naming criterion of Windows, that is, excluding such characters as \, /, :, *, ?, ", <, and >.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
When the specified authentication scheme does not exist, you can define a new one with the name specified in the authentication-scheme command. Otherwise, you will directly enter the authentication scheme view specified in the command. The system supports 16 authentication schemes at most. Moreover, the system has a default scheme, which cannot be deleted but can be modified.
Examples
# Add an authentication scheme with the name newscheme.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] authentication-scheme newscheme [Eudemon-aaa-authen-newscheme]
Format
display aaa configuration
3-162 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display AAA configuration in brief.
<Eudemon> display aaa configuration
Format
display authentication-scheme [ scheme-name ]
Parameters
scheme-name: specifies the name of an authentication scheme. It is a case insensitive string of 1 to 32 characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Running the command in authentication scheme view or specifying an authentication scheme, you can view its detailed configuration; otherwise, you will view the brief configuration.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-163
3 Security Defense
Examples
# Display all authentication schemes in brief.
<Eudemon> display authentication-scheme ------------------------------------------------------------Authentication-scheme-name Authentication-method ------------------------------------------------------------default local scheme1 local ------------------------------------------------------------Total 2,2 printed
Format
display ip pool { global | domain domain-name }
Parameters
global: refers to the global IP address pool. domain-name: specifies the name of a domain, a string of 1 to 20 characters, excluding such characters as \, /, :, *, ?, ", < and >, case insensitive.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If you set the global parameter, you will display the IP address pool in AAA view. You can assign the addresses of this IP address pool for users in default domain or none-authentication users. If you configure the domain domain-name parameter, you will display the configuration and use of the IP pool in the specified domain. A PPP user who needs authentication but does not in the default domain, will use the IP pool in the specified domain.
3-164 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Display the global IP pool.
<Eudemon> display ip pool global -------------------------------------------------------------------------Pool-number Pool-start-addr Pool-end-addr Pool-length Used-addr-number -------------------------------------------------------------------------1 1.1.1.1 1.1.1.30 30 0 2 2.2.2.2 2.2.3.1 256 0 -------------------------------------------------------------------------Total pool number: 2
Format
display recording-scheme [ scheme-name ]
Parameters
scheme-name: specifies the name of a recording scheme, a string of 1 to 32 characters, case insensitive.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the recording scheme currentscheme.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-165
3 Security Defense
Format
ip address ppp-negotiate undo ip address ppp-negotiate
Parameters
None
Views
Virtual-Template interface view
Default Level
2: Configuration level
Usage Guidelines
By default, this function is disabled on interfaces.
Examples
# Enable IP address negotiation on Virtual-Template interface 24.
<Eudemon> system-view [Eudemon] interface virtual-template 24 [Eudemon-Virtual-Template24] ip address ppp-negotiate
3.16.11 ip pool
3-166 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Function
Using the ip pool command, you can define a local address pool for assigning IP addresses to PPP users. Using the undo ip pool command, you can delete a local address pool.
Format
ip pool pool-number first-address [ last-address ] undo ip pool pool-number
Parameters
pool-number: specifies the number of an address pool in a range of 0 to 99. first-address: specifies the starting IP address in the address pool. last-address: specifies the ending IP address in the address pool.
Views
AAA view, AAA domain view
Default Level
2: Configuration level
Usage Guidelines
By default, no local address pool is defined. The total number of IP addresses in all address pools cannot be greater than 4096. In addition, if no ending IP address is specified during the address pool configuration, there is only one IP address in the address pool, that is, the starting IP address.
Examples
# Configure the local address pool 0, including the IP addresses from 129.102.0.1 to 129.102.0.10.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] ip pool 0 129.102.0.1 129.102.0.10
3.16.12 recording-mode
Function
Using the recording-mode command, you can set a recording mode for the current recording scheme.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-167
3 Security Defense
Format
recording-mode hwtacacs template-name undo recording-mode
Parameters
template-name: specifies the name of an HWTACACS server template involved in a recording mode, a string of 1 to 32 characters.
Views
Recording scheme view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Configure the recording scheme scheme1 by using the HWTACACS template test.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] recording-scheme scheme1 [Eudemon-aaa-recording-scheme1] recording-mode hwtacacs test
3.16.13 recording-scheme
Function
Using the recording-scheme command, you can define a recording scheme and enter the corresponding view. Using the undo recording-scheme command, you can delete a existing recording scheme. Using the { cmd | outbound | system } recording-scheme command, you can set the recording scheme for system events, the operations of the Eudemon serving as the client, or the commands executed on the Eudemon by users. Using the undo { cmd | outbound | system } recording-scheme command, you can delete the recording scheme, that is, you do not perform the corresponding recording.
Format
recording-scheme scheme-name undo recording-scheme scheme-name { cmd | outbound | system } recording-scheme scheme-name
3-168 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
scheme-name: specifies the name of a recording scheme, a string of 1 to 32 characters, case insensitive, on the basis of the naming criterion of Windows, that is, excluding such characters as \, /, :, *, ?, ", < and >. cmd: records the command executed on the Eudemon currently. outbound: records the connection information. At present, it can record Telnet users. system: records the system-level events that are irrelative to users, including the events caused by the reboot, hsc reset system, and hsc reset viu commands.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, the system-level events are not recorded. In recording scheme view, you can configure the scheme through an HWTACACS server template. The basic recording policy such as recording mode must be configured. The system supports 128 recording schemes at most. Moreover, the system has a default scheme, which cannot be deleted but can be modified.
Examples
# Define a recording scheme by the name of newscheme.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] recording-scheme newscheme [Eudemon-aaa-recording-newscheme]
3 Security Defense
Using the undo remote address command, you can cancel the current setting.
Format
remote address { ip-address | pool [ pool-number ] } undo remote address
Parameters
ip-address: specifies the IP address assigned to the remote users, in dotted decimal format. pool-number: specifies the address pool configured in AAA view. If no number is specified, the default address pool 0 is adopted.
Views
Virtual template interface view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Assign the IP address 129.102.0.1 to the remote users through Virtual-Template0.
<Eudemon> system-view [Eudemon] interface Virtual-Template 0 [Eudemon-Virtual-Template0] remote address 129.102.0.1
3 Security Defense
3.17.11 radius-server timeout 3.17.12 radius-server traffic-unit 3.17.13 radius-server type 3.17.14 radius-server user-name domain-included
Format
debugging radius packet undo debugging radius packet
Parameters
packet: enables the RADIUS packet debugging.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the RADIUS packet debugging is disabled.
Examples
# Enable the RADIUS packet debugging.
<Eudemon> debugging radius packet
3 Security Defense
Format
display radius-server configuration [ template template-name ]
Parameters
template-name: specifies the name of a RADIUS server template, a string of 1 to 32 characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the configuration of a RADIUS server.
<Eudemon> display radius-server configuration
Format
radius-server accounting ip-address port [ source loopback interface-number ] [ secondary ] undo radius-server accounting [ secondary ]
Parameters
ip-address: Specifies the IP address of a accounting server. The value is in dotted decimal notation and must be a valid unicast address. port: Specifies the number of a port. It is an integer that ranges from 1 to 65535. source: Binds the source interface. interface-number: Specifies the number of the loopback interface. It is an integer that ranges from 0 to 1023.
3-172 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
secondary: Indicates the secondary server. If this parameter is not specified, the RADIUS server refers to a primary server.
Views
RADIUS server template view
Default Level
2: Configuration level
Usage Guidelines
The IP addresses of the primary and the secondary accounting servers must be different; otherwise, the server configuration fails. If the command is executed repeatedly, the new configuration supersedes the previous one. You can modify this configuration only when the RADIUS server template is not in use.
Examples
# Configure the primary accounting server.
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1] radius-server accounting 10.163.155.13 1813 source loopback 10
Format
radius-server accounting-stop-packet resend { enable times | disable }
Parameters
enable: enables the accounting stop packet retransmission. times: specifies the number of times for retransmitting accounting stop packets. Its value ranges from 1 to 1024. disable: prevents accounting stop packets from being retransmitted.
Views
RADIUS view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-173
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, the accounting stop packet retransmission is disabled. You can modify this configuration only when the RADIUS server template is not in use.
NOTE
Note that accounting stop packets occupy a certain memory after this function is enabled. This increases the system overhead.
Examples
# Set the number of times for retransmitting accounting stop packets to 10.
<Eudemon> system-view [Eudemon] radius-server template 163 [Eudemon-radius-163] radius-server accounting-stop-packet resend enable 10
Format
radius-server authentication ip-address [ port ] [ secondary ] undo radius-server authentication [ secondary ]
Parameters
ip-address: specifies the IP address of a server in dotted decimal format. It must be a valid unicast address. port: specifies the number of a port in a range of 1 to 65535. The default value is 1812. secondary: refers to the secondary server. Without the parameter, refers to the primary server.
Views
RADIUS view
Default Level
2: Configuration level
3-174 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
The IP address of the primary authentication server must differ from that of the secondary authentication server; otherwise, the failure prompt is displayed. In the case that the command is executed repeatedly, the new configuration will overwrite the previous one. You can modify this configuration only when the RADIUS server template is not in use. Deleting a server takes effect only on the subsequent packets.
Examples
# Configure the primary authentication server.
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1] radius-server authentication 10.163.155.13 1812
Format
radius-server nas-port-format { new | old }
Parameters
new: uses the new NAS port format. old: uses the old NAS port format.
Views
RADIUS view
Default Level
2: Configuration level
Usage Guidelines
By default, the new NAT port format is adopted. The NAS port format affects the user's physical port information carried and provides the information to the RADIUS server for processing various services such as the user name and port binding. This is the internal extended attribute of Huawei, used for interworking and service cooperation between devices of Huawei. These two formats of NAS ports differentiate on the physical port of users that access through Ethernet.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-175
3 Security Defense
l
The new NAS port format is composed of 8-bit slot number, 4-bit subslot number, 8-bit port number, and 12-bit VLAN ID orderly. The old NAS port format is composed of 12-bit slot number, 8-bit port number, and 12-bit VLAN ID orderly.
The port format for the user accessing through ADSL is composed of 4-bit slot number, 2-bit subslot number, 2-bit port number, 8-bit VPI and 16-bit VCI orderly. The NAS port format must be used along with the accounting system of Huawei.
Examples
# Set the new NAS port format to the RADIUS server template test1.
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1] radius-server nas-port-format new
Format
radius-server nas-port-id-format { new | old }
Parameters
new: uses the new NAS port ID format. old: uses the old NAS port ID format.
Views
RADIUS view
Default Level
2: Configuration level
Usage Guidelines
By default, the new NAT port ID format is adopted. Similar to the NAS port format, this is the internal extended attribute of Huawei, used for interworking and service cooperation between devices of Huawei. With respect to the new format:
l
NAS port ID of the user accessing through Ethernet is in the format of "slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx", in which slot is in a range of 0 to 15, subslot 0 to 15, port 0 to 255 and VLAN ID 0 to 4095.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3-176
3 Security Defense
NAS port ID of the user accessing through ADSL is in the format of "slot=xx; subslot=x; port=x; VPI=xxx; VCI=xxxxx", in which slot is in a range of 0 to 15, subslot 0 to 9, port 0 to 9, VPI 0 to 255, and VCI 0 to 65535.
NAS port ID of the user accessing through Ethernet is composed of 2-character port number, 2-byte subslot number, 3-byte card number, and 9-character VLAN ID orderly. NAS port ID of the user accessing through ADSL is composed of 2-character port number, 2-byte subslot number, 3-byte card number, 8-character VPI and 16-character VCI, prefixed with zeros if necessary.
Examples
# Set the new NAS port ID format to the RADIUS server template "test1".
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1] radius-server nas-port-id-format new
Format
radius-server retransmit retry-times undo radius-server retransmit
Parameters
retry-times: specifies the number of retransmission events, in a range of 1 to 5. It defaults to 3.
Views
RADIUS view
Default Level
2: Configuration level
Usage Guidelines
You can modify this setting only when the RADIUS server template is not in use. This command can be used along with the radius-server timeout command at the same time.
Examples
# Set the number of retransmission events to 4.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-177
3 Security Defense
Format
radius-server shared-key key-string
Parameters
key-string: specifies a shared key, a string of 1 to 16 characters. It defaults as "huawei".
Views
RADIUS view
Default Level
2: Configuration level
Usage Guidelines
You can modify this configuration only when the RADIUS server template is not in use.
Examples
# Set the shared key of the RADIUS server as hello.
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1] radius-server shared-key hello
Format
radius-server template template-name undo radius-server template template-name
3-178 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
template-name: specifies the name of a RADIUS server template, a string of 1 to 32 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
In RADIUS view, you can configure the RADIUS server template. The system supports 128 RADIUS server templates at most. You can modify this configuration only when the RADIUS server template is not in use. If the template is in use while being deleted, the failure prompt is displayed.
Examples
# Create a RADIUS server template test1 and enter the corresponding view.
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1]
Format
radius-server timeout timeout-value undo radius-server timeout
Parameters
timeout-value: specifies the timeout value of the retransmission, in a range of 3 to 10 seconds. The default value is 5 seconds.
Views
RADIUS view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-179
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
You can modify this setting only when the RADIUS server template is not in use. This command can be used along with the radius-server retransmit command at the same time.
Examples
# Set the retransmission timeout of the RADIUS server to 6 seconds.
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1] radius-server timeout 6
Format
radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
Parameters
byte: takes byte as the traffic unit. kbyte: takes kilobyte as the traffic unit. mbyte: takes megabyte as the traffic unit. gbyte: takes gigabyte as the traffic unit.
Views
RADIUS view
Default Level
2: Configuration level
Usage Guidelines
By default, the traffic unit is byte. You can modify this setting only when the RADIUS server template is not in use. This setting is invalid to servers of which the RADIUS server template is standard.
3-180 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Set the traffic unit of the RADIUS server as kilobyte.
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1] radius-server traffic-unit kbyte
Format
radius-server type { standard | portal }
Parameters
standard: applies the standard RADIUS protocol to the server. portal: applies the Portal RADIUS protocol, also called RADIUS+, V1.1, to the server.
Views
RADIUS view
Default Level
2: Configuration level
Usage Guidelines
By default, the server adopts the standard RADIUS protocol. You can modify this setting only when the RADIUS server template is not in use.
Examples
# Apply the RADIUS+ protocol to the server.
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1] radius-server type portal
3 Security Defense
Using the undo radius-server user-name domain-included command, you can cancel the setting.
Format
radius-server user-name domain-included undo radius-server user-name domain-included
Parameters
None
Views
RADIUS view
Default Level
2: Configuration level
Usage Guidelines
By default, the user name contains the domain name. You can modify this setting only when the RADIUS server template is not in use.
Examples
# Set the user name excluding the domain name.
<Eudemon> system-view [Eudemon] radius-server template test1 [Eudemon-radius-test1] undo radius-server user-name domain-included
3 Security Defense
3.18.11 hwtacacs-server timer quiet 3.18.12 hwtacacs-server timer response-timeout 3.18.13 hwtacacs-server traffic-unit 3.18.14 hwtacacs-server user-name domain-included 3.18.15 reset hwtacacs-server accounting-stop-packet 3.18.16 reset hwtacacs-server statistics
Format
debugging hwtacacs { all | error | event | message | receive-packet | send-packet } undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
Parameters
all: enables all HWTACACS debugging functions. error: enables the error debugging. event: enables the event debugging. message: enables the message debugging. receive-packet: enables the debugging on received packets. send-packet: enables the debugging on sent packets.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, HWTACACS server debugging is disabled.
Examples
# Enable the HWTACACS event debugging.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-183
3 Security Defense
<Eudemon> debugging hwtacacs event
Format
display hwtacacs-server accounting-stop-packet { all | number | ip ip-address }
Parameters
all: displays all the packets whose accountings stop. number: displays the initially specific number of the packets whose accounting stops. It ranges from 1 to 65535. ip: displays the accounting stop packets containing specified IP addresses. ip-address: specifies the IP address in dotted decimal format.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display all accounting stop packets.
<Eudemon> display hwtacacs-server accounting-stop-packet all
Format
display hwtacacs-server template [ template-name [ verbose ] ]
3-184 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
template-name: specifies the name of an HWTACACS server template. It is a case insensitive string of 1 to 32 characters. verbose: displays the statistics of the HWTACACS server in detail.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display all HWTACACS servers.
<Eudemon> display hwtacacs-server template
Format
hwtacacs-server accounting ip-address [ port ] [ secondary ] undo hwtacacs-server accounting [ secondary ]
Parameters
ip-address: specifies the IP address of a server in dotted decimal format. It must be a valid unicast address. port: specifies the port number of a server in a range of 1 to 65535. Its default number is 49. secondary: refers to the secondary server. Without the parameter, it refers to the primary server.
Views
HWTACACS view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-185
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, the IP address of the HWTACACS accounting server is all zeros address. The IP address of the primary accounting server must differ from that of the secondary accounting server; otherwise, the failure prompt is displayed. In the case that this command is executed repeatedly, the new configuration overwrites the previous one. This server can be deleted only when it is not used in any active TCP connection for sending the accounting packets. Deleting a server takes effect only on the subsequent packets.
Examples
# Configure the primary accounting server.
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1] hwtacacs-server accounting 10.163.155.12 49
Format
hwtacacs-server accounting-stop-packet resend { disable | enable number }
Parameters
disable: disables retransmitting accounting stop packets. enable: enables retransmitting accounting stop packets. number: specifies the number of retransmitted accounting stop packets. Its value ranges from 1 to 300.
Views
System view
Default Level
2: Configuration level
3-186 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
By default, the retransmitting accounting stop packets is enabled. The number of retransmitted packets is 100.
Examples
# Enable the retransmitting accounting stop packets. The number of retransmitted packets is 50 per time.
<Eudemon> system-view [Eudemon] hwtacacs-server accounting-stop-packet resend enable 50
Format
hwtacacs-server authentication ip-address [ port ] [ secondary ] undo hwtacacs-server authentication [ secondary ]
Parameters
ip-address: specifies the IP address of a server in dotted decimal format. It must be a valid unicast address. port: specifies the port number of the server in a range of 1 to 65535. It defaults to 49. secondary: refers to the secondary server.
Views
HWTACACS view
Default Level
2: Configuration level
Usage Guidelines
By default, the IP address of the HWTACACS authentication server is all zeros address. The IP address of the primary authentication server must differ from that of the secondary authentication server; otherwise, the failure prompt is displayed. In the case that the command is executed repeatedly, the new configuration will overwrite the previous one.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-187
3 Security Defense
This server can be deleted only when it is not used in any active TCP connection for sending the authentication packets.
Examples
# Configure the primary authentication server.
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1] hwtacacs-server authentication 10.163.155.13 49
Format
hwtacacs-server authorization ip-address [ port ] [ secondary ] undo hwtacacs-server authorization [ secondary ]
Parameters
ip-address: specifies the IP address of a server in dotted decimal format. It must be a valid unicast address. port: specifies the port number of the server in a range of 1 to 65535. It defaults to 49. secondary: refers to the secondary server.
Views
HWTACACS view
Default Level
2: Configuration level
Usage Guidelines
By default, the IP address of HWTACACS authorization server is all zeros address. The IP address of the primary authorization server must differ from that of the secondary authorization server; otherwise, the failure prompt is displayed. In the case that the command is executed repeatedly, the new configuration will overwrite the previous one. This server can be deleted only when it is not used in any active TCP connection for sending the authorization packets.
3-188 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Configure the primary authorization server.
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1] hwtacacs-server authorization 10.163.155.13 49
Format
hwtacacs-server shared-key key-string undo hwtacacs-server shared-key
Parameters
key-string: specifies a shared key, a string of 1 to 16 characters.
Views
HWTACACS view
Default Level
2: Configuration level
Usage Guidelines
By default, the HWTACACS server is not set with any shared key.
Examples
# Set the shared key of the HWTACACS server as "hello".
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1] hwtacacs-server shared-key hello
3 Security Defense
Format
hwtacacs-server source-ip ip-address undo hwtacacs-server source-ip
Parameters
ip-address: specifies the IP address in dotted decimal format.
Views
HWTACACS view
Default Level
2: Configuration level
Usage Guidelines
By default, the source IP address of a packet is the IP address of the send port.
Examples
# Set the source IP address of the HWTACACS server to 10.1.1.1.
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1] hwtacacs-server source-ip 10.1.1.1
Format
hwtacacs-server template template-name undo hwtacacs-server template template-name
Parameters
template-name: specifies the name of an HWTACACS server template, a string of 1 to 32 characters.
Views
System view
3-190 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Create an HWTACACS server template with the name test1 and enter the corresponding view.
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1]
Format
hwtacacs-server timer quiet value undo hwtacacs-server timer quiet
Parameters
value: Indicates the time for the primary server to recover to the active state, in a range of 1 to 255 minutes.
Views
HWTACACS view
Default Level
2: Configuration level
Usage Guidelines
By default, it takes 5 minutes for the primary server to return to the active state.
Examples
# Set the quiet time of the primary server before it returns to the active state to 10 minutes.
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1] hwtacacs-server timer quiet 10
Issue 03 (2009-06-18)
3-191
3 Security Defense
Format
hwtacacs-server timer response-timeout value undo hwtacacs-server timer response-timeout
Parameters
value: specifies the value of response timeout in a range of 1 to 300 seconds.
Views
HWTACACS view
Default Level
2: Configuration level
Usage Guidelines
The default response timeout of the HWTACACS server is 5 seconds.
NOTE
Because HWTACACS is implemented based on TCP, either the response timeout or TCP timeout may cause disconnection with the server.
Examples
# Set the response timeout of the HWTACACS server to 30 seconds.
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1] hwtacacs-server timer response-timeout 30
3 Security Defense
Format
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
Parameters
byte: takes byte as the traffic unit. kbyte: takes kilobyte as the traffic unit. mbyte: takes megabyte as the traffic unit. gbyte: takes gigabyte as the traffic unit.
Views
HWTACACS view
Default Level
2: Configuration level
Usage Guidelines
By default, the traffic unit is byte.
Examples
# Set the traffic unit of the HWTACACS server as kilobyte.
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1] hwtacacs-server traffic-unit kbyte
Format
hwtacacs-server user-name domain-included undo hwtacacs-server user-name domain-included
Parameters
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-193
3 Security Defense
Views
HWTACACS view
Default Level
2: Configuration level
Usage Guidelines
By default, the user name contains the domain name.
Examples
# Set the user name including the domain name.
<Eudemon> system-view [Eudemon] hwtacacs-server template test1 [Eudemon-hwtacacs-test1] hwtacacs-server user-name domain-included
Format
reset hwtacacs-server accounting-stop-packet { all | ip ip-address }
Parameters
all: resets the statistics of all accounting stop packets. ip ip-address: resets the statistics of the accounting stop packets containing specified IP addresses. The IP address is in dotted decimal format.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Reset the statistics of all accounting stop packets.
3-194 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Format
reset hwtacacs-server statistics { all | accounting | authentication | authorization }
Parameters
all: resets all statistics. accounting: resets the statistics of all HWTACACS accounting servers. authentication: resets the statistics of all HWTACACS authentication servers. authorization: resets the statistics of all HWTACACS authorization servers.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Reset the statistics of all HWTACACS authentication Server.
<Eudemon> reset hwtacacs-server statistics accounting
3 Security Defense
3.19.7 binding virtual-template 3.19.8 display domain 3.19.9 dns 3.19.10 domain 3.19.11 hwtacacs-server (AAA Domain View) 3.19.12 idle-cut 3.19.13 nbns 3.19.14 radius-server 3.19.15 state (AAA Domain View) 3.19.16 user-car (AAA Domain View) 3.19.17 user-priority
3.19.1 access-limit
Function
Using the access-limit command, you can set the maximum number of the users that are allowed to access in spite of the users' types. Using the undo access-limit command, you can restore the default setting of the maximum number of the users that are allowed to access.
Format
access-limit max-number undo access-limit
Parameters
max-number: specifies the maximum number of the users that are allowed to access. The value is an integer ranging from 1 to 20608.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, the maximum value is 20608.
3-196 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Set the maximum number of the access users to 100.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] access-limit 100
Format
accounting-scheme scheme-name undo accounting-scheme
Parameters
scheme-name: specifies the name of an accounting scheme, a string of 1 to 32 characters, case insensitive, following the naming criterion of Windows, that is, excluding such characters as \, /, :, *, ?, ", <, and >.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, domains adopt the system accounting scheme.
Examples
# Apply the accounting scheme test to the current domain.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] authentication-scheme test [Eudemon-aaa-authen-test] quit [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] accounting-scheme test
# Delete the accounting scheme of the current domain and restore the default setting.
[Eudemon-aaa-domain-mydomain] undo accounting-scheme
Issue 03 (2009-06-18)
3-197
3 Security Defense
3.19.3 acl-number
Function
Using the acl-number command, you can set an ACL to the current domain. Using the undo acl-number command, you can delete an ACL from the domain.
Format
acl-number number undo acl-number
Parameters
number: specifies the number of an ACL in a range of 2000 to 3999. Namely, the basic ACL and advanced ACL are available.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, no ACL is set. The ACL applied in the domain takes effect on all the users accessing through this domain. In addition, a domain can only adopt an ACL so that the newly configured ACL will overwrite the previous one.
Examples
# Apply ACL 2010 to the current domain.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] acl-number 2010
3 Security Defense
Format
authentication-scheme scheme-name undo authentication-scheme
Parameters
scheme-name: specifies the name of an authentication scheme, a string of 1 to 32 characters, case insensitive, following the naming criterion of Windows, that is, excluding such characters as \, /, :, *, ?, ", < and >.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, domains adopt the system authentication scheme.
Examples
# Apply the authentication scheme test to the current domain.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] authentication-scheme test [Eudemon-aaa-authen-test] quit [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] authentication-scheme test
3.19.5 authorization-mode
Function
Using the authorization-mode command, you can set an authorization mode for the current authorization scheme.
Format
authorization-mode { hwtacacs | if-authenticated | local } * [ none ] authorization-mode none
Parameters
hwtacacs: authorizes through an HWTACACS server.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-199
3 Security Defense
local: authorizes at local. if-authenticated: authorizes the user who passes the authentication except none authentication; otherwise, the user will not be authorized. none: authorizes the user directly.
Views
Authorization scheme view
Default Level
2: Configuration level
Usage Guidelines
There are four types of authorization modes. The latter one is adopted when the former one does not reply. You have to configure authorization modes. There is no default authorization mode. If multiple authorization modes are set to an authorization scheme, the execution order of them is based on the configuration sequence and the authorization in none mode must be the last one adopted.
Examples
# Set the authorization mode of the authorization scheme scheme1 as local.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] authorization-scheme scheme1 [Eudemon-aaa-author-scheme1] authorization-mode local
Format
authorization-scheme scheme-name undo authorization-scheme
Parameters
scheme-name: specifies the name of an authorization scheme, a string of 1 to 32 characters, case insensitive, on the basis of the naming criterion of Windows, that is, excluding such characters as \, /, :, *, ?, ", < and >.
3-200 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, domains adopt the system authorization scheme.
Examples
# Apply the authorization scheme test to the current domain.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] authentication-scheme test [Eudemon-aaa-authen-test] quit [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] authorization-scheme test
Format
binding virtual-template virtual-template-number undo binding virtual-template
Parameters
virtual-template-number: refers to the virtual template interface number; it is an integer ranging from 0 to 1023.
Views
Domain view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-201
3 Security Defense
Usage Guidelines
None
Examples
# Set the current domain to bind to virtual template 0.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] binding virtual-template 0
The domain name Status Accounting scheme Authentication scheme CAR index Idle-cut data Default user priority Maximum number of access users Number of online users Index number
Format
display domain [ domain-name ]
Parameters
domain-name: specifies the name of a domain. It is a case insensitive string of 1 to 20 characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If no domain is specified, you will view the configuration of all current existing domains.
3-202 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Display the configuration of all existing domains.
<Eudemon> display domain
3.19.9 dns
Function
Using the dns command, you can specify a DNS server for the current domain. Using the undo dns command, you can remove the DNS server from the current domain.
Format
dns { primary-ip | second-ip } ip-address undo dns { primary-ip | second-ip }
Parameters
primary-ip: sets the primary DNS server. second-ip: sets the secondary DNS server. ip-address: specifies the IP address of the DNS server in dotted decimal format. It must be a valid unicast address.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, a domain is not configured with any DNS server.
Examples
# Set the server at 10.1.1.1 as the primary DNS server of the current domain.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] dns primary-ip 10.1.1.1
3.19.10 domain
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-203
3 Security Defense
Function
Using the domain command, you can set up a domain and enter the corresponding view. Using the undo domain command, you can delete a domain.
Format
domain domain-name undo domain domain-name
Parameters
domain-name: specifies the name of a domain, a string of 1 to 64 characters, excluding such characters as \, /, :, *, ?, ", < and >, case insensitive.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
The system supports up to 128 domains. There is a default domain and each domain is in the "active" state after being created.
Examples
# Specify the domain called mydomain and enter the corresponding view.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain]
3 Security Defense
Format
hwtacacs-server template-name undo hwtacacs-server
Parameters
template-name: specifies the name of an HWTACACS server template, a string of 1 to 32 characters, case insensitive, on the basis of the naming criterion of Windows, that is, excluding such characters as \, /, :, *, ?, ", < and >.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
The HWTACACS server template that the domain using must exist before configure.
Examples
# Configure the HWTACACS server template named mytemplate to the current domain.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] hwtacacs-server mytemplate
3.19.12 idle-cut
Function
Using the idle-cut command, you can set the parameters to disconnect the idle users in the current domain. Using the undo idle-cut command, you can disable the function.
Format
idle-cut cut-time-length cut-data-length undo idle-cut
Parameters
cut-time-length: refers to the online time of idle users, in a range of 1 to 120 minutes.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-205
3 Security Defense
cut-data-length: The user is regarded in the idle state when his flow is less than this value. It is in a range of 0 to 768000 bytes.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, the idle-cut function is disabled in a domain. When the user traffic is less than 60 bytes, the user is considered idle.
Examples
# Set the maximum online time of the idle users to 60 minutes and the minimum flow to 500 bytes.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] idle-cut 60 500
3.19.13 nbns
Function
Using the nbns command, you can specify an NBNS name server for the current domain. Using the undo nbns command, you can delete an NBNS name server of the current domain.
Format
nbns { primary-ip | second-ip } ip-address undo nbns { primary-ip | second-ip }
Parameters
primary-ip: specifies the primary NBNS name server. second-ip: specifies the secondary NBNS name server. ip-address: refers to the IP address of the NBNS name server in dotted decimal format. It must be a valid unicast address.
Views
Domain view
3-206 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, no NBNS name server is configured to any domain.
Examples
# Specify the server at 10.1.1.1 as the NBNS name server to the current domain.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] nbns primary-ip 10.1.1.1
3.19.14 radius-server
Function
Using the radius-server command, you can set a RADIUS server template for the current domain. Using the undo radius-server command, you can delete the specified server template.
Format
radius-server template-name undo radius-server
Parameters
template-name: refers to the name of a RADIUS server template, a string of 1 to 32 characters, case insensitive, on the basis of the naming criterion of Windows, that is, excluding such characters as \, /, :, *, ?, ", < and >.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
The RADIUS server template that the domain using must exist before configure.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-207
3 Security Defense
Examples
# Configure the RADIUS server template named radius-server-163 to the current domain.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] radius-server radius-server-163
Format
state { active | block }
Parameters
active: sets the domain to be in the active state. block: sets the domain to be in the block state.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, a domain is in the active state after being created.
Examples
# Set the current domain to be in the block state.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] state block
3 Security Defense
Using the undo user-car command, you can restore the default setting of the traffic control level for the current domain.
Format
user-car level undo user-car
Parameters
level: refers to the level of CAR in a range of 1 to 30.
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, no traffic control level is specified for a domain.
Examples
# Set the traffic control level of the current domain to 3.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] user-car 3
3.19.17 user-priority
Function
Using the user-priority command, you can set a priority for an access user in the current domain. Using the undo user-priority command, you can restore the default setting of the priority for an access user in the current domain.
Format
user-priority level undo user-priority
Parameters
level: specifies the priority of a user in the range 0 through 7.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-209
3 Security Defense
Views
Domain view
Default Level
2: Configuration level
Usage Guidelines
By default, the user priority is not specified.
Examples
# Set the priority of the access user to 7.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] domain mydomain [Eudemon-aaa-domain-mydomain] user-priority 7
3 Security Defense
Format
cut access-user [ domain domain-name | interface interface-type interface-number [ vlan-id vlan-id ] | ip-address ip-address [ vpn-instance { vpn-instance-name | public } ] | macaddress mac-address | user-id start-id [ end-id ] | username { local | none | all | hwtacacs | radius } [ user-name ] ]
Parameters
domain: disconnects all the user access of a domain. domain-name: specifies a domain name with 1 to 20 characters. The value is case insensitive. interface: Disconnects all connections on specified interfaces. interface-type: specifies the type of an interface. interface number: specifies the number of an interface. vlan-id: disconnects all connections in specified VLAN. vlan-id: specifies a VLAN ID in a range of 1 to 4094 and disconnects user access of the VLAN. ip-address: disconnects user access according to user's IP address. ip-address: specifies an IP address in dotted decimal notation. vpn-instance: disconnects user access according to VPN instance. vpn-instance-name: specifies a VPN instance name. public: specifies the VPN 0. mac-address: disconnects user access according to user's MAC address. mac-address: specifies a MAC address in the format of H-H-H. user-id: disconnects user access according to user index. start-id: specifies the start index number. The value is an integer ranging from 0 to 20607. end-id: specifies the ending index number. The value is an integer ranging from 0 to 20607. The value must be greater than the start index number. username: disconnects user access according to the user name. all: disconnects all user accesses. local: disconnects users who are authenticated in local mode. none: disconnects users who are not authenticated.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-211
3 Security Defense
hwtacacs: disconnects users who are authenticated in hwtacacs. radius: disconnects users who are authenticated in radius. user-name: specifies a user name in the format of "username@domain name", a string of 1 to 64 characters. The value is case insensitive.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
If multiple eligible connections exist, they are released at the same time according to the user name and authentication mode.
Examples
# Disconnect user access according to the user name.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] cut access-user username local user0 [Eudemon-aaa] cut access-user username none user0 [Eudemon-aaa] cut access-user username all user0
Format
display access-user [ domain domain-name | ip-address ip-address | user-id user-id | username user-name ]
Parameters
domain: displays all the user access of a domain. domain-name: specifies a domain name, a string of 1 to 20 characters. The value is case insensitive. ip-address: displays user access according to user's IP address.
3-212 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
ip-address: specifies an IP address in dotted decimal notation. user-id: displays user access according to user index. It does not differentiate the user status. user-id: specifies a user index number. The value is an integer ranging from 0 to 20607. username: displays user access according to the user name. user-name: specifies a user name in the format of "username@domain name" with 1 to 64 characters. The value is case insensitive.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
When you specify the username, user ID, IP address, or MAC address, you will view a specific connection in detail, including:
l l l l l l l l l
User access ID User name Port number Authentication mode configured Authentication mode used Accounting mode The IP address Access time ACL number
When you specify a domain, you will view the access of the domain in brief, including:
l l l l l l l l l
User access ID User name Port number Authentication mode configured Authentication mode used Accounting mode The IP address Access time ACL number
Examples
# Display the detailed information about connection of a user with user ID 1. In this example, user with ID 1 is offline.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-213
3 Security Defense
Format
display local-user [ domain domain-name | username user-name | vpn-instance vpn-instancename ]
Parameters
domain: displays all users in a specified domain. domain-name: refers to the domain name, a string of 1 to 20 characters. username: displays the user with a specified user name. user-name: specifies the user name. It is a case-insensitive string of 1 to 64 characters. For the users in the default domain, the format is "username". For the users in the specified domain, the format is "username@domain-name". The name should not contain such characters as \, /, :, * , ?, ", and |. vpn-instance: displays the user with a specified VPN instance. vpn-instance-name: specifies a VPN instance name.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Executing this command, you can:
l l
View all the users in brief if no optional parameter is specified. View attributes of a user in detail by specifying the keyword user-name, including the user status and idle-cut data. View a user in brief by specifying other keyword.
Examples
# Display all the local users in brief.
3-214 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Format
local-user user-name access-limit max-number undo local-user user-name access-limit
Parameters
user-name: specifies a user name, a string of 1 to 64 characters. max-number: specifies the maximum number of the users allowed to access. The value is an integer ranging from 1 to 20608.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, no limitation is set. Generally, a user account can set up multiple accesses, for example, 16 accesses through a VLAN or even more. However, in some PPP mode, you are recommended to set one access to a user only. Be sure to set the number complying with the carrier's configuration. When a local user has set up some connections, the new access limitation must be compatible with the previous ones; otherwise, the setting will fail. To be specific, given the local user has set up n (n >= 1) connections but the new access limitation is m (m<n), the modification will fail. If it has to, use the cut access-user command to disconnect some connections to fulfill the modification. The number of accesses that users can set up is limited by the system capacity, access limitation of the domain where they reside, and self-access limitation. But only the minimum one determines in the end.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-215
3 Security Defense
Examples
# Set the maximum number of the connections that the local user hello@163.net can set up to 5.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] local-user hello@163.net access-limit 5
Format
local-user user-name ftp-directory directory undo local-user user-name ftp-directory
Parameters
user-name: specifies the user name, a string of 1 to 64 characters, excluding the wildcards. directory: specifies the directory that the user can access, a string of 1 to 64 characters.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, no FTP directory is set for users.
Examples
# Set the FTP directory flash:/ to the local user hello@163.net.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] local-user hello@163.net ftp-directory flash:/
3 Security Defense
Using the undo local-user idle-cut command, you can disable the function.
Format
local-user user-name idle-cut undo local-user user-name idle-cut
Parameters
user-name: specifies the user name, a string of 1 to 64 characters.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, this function is disabled. Whether a user is in the idle state depends on the configuration of the domain to which the user belongs.
Examples
# Enable the idle-cut to the local user hello@163.net.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] local-user hello@163.net idle-cut
Format
local-user user-name l2tp-ip ip-address undo local-user user-name l2tp-ip
Parameters
user-name: specifies the user name. It is a string of 1 to 64 case insensitive characters ip-address: specifies the IP address. The value is in dotted decimal notation.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-217
3 Security Defense
Views
AAA view
Default Level
3: Management level
Usage Guidelines
This command is used only when the Eudemon serves as an L2TP Network Server (LNS) and L2TP users are bound with fixed IP addresses.
Examples
# Bind an L2TP user to the IP address 10.1.1.1.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] local-user hello l2tp-ip 10.1.1.1
Format
local-user user-name level level undo local-user user-name level
Parameters
user-name: specifies the user name, a string of 1 to 64 characters, excluding the wildcards. level: specifies the priority of the user, in a range of 0 to 3.
Views
AAA view
Default Level
3: Management level
Usage Guidelines
For the related command, see local-user related commands.
3-218 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Set the priority of the local user hello@163.net to 3.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] local-user hello@163.net level 3
Format
local-user user-name [ password { simple | cipher } password ] undo local-user user-name
Parameters
user-name: specifies the user name, a character string. The part before @ is the user name and the part after is the domain name; without @, it is the user name only and the default domain is adopted. simple: displays the password in the simple text. cipher: displays the password in the cipher text. password: specifies the password, a string of 8 to 16 characters in the simple mode or 24 characters in the cipher mode, case sensitive, excluding such special characters of command lines as space and question mark.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
To delete a local user, there must be no access to the user. If there is, use the local-user state block command to block the user to reject the subsequent authentication requests. The password must meet the minimum complexity requirement, that is, the password must contain at least two types out of capital uppercase and lowercase letters, numbers (0 to 9), and special characters such as the exclamatory mark (!), at sign (@), pound sign (#), dollar sign ($), and percent (%). Up to 1000 local users can be set in the system. For the related commands, see vlan-batch user related commands.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-219
3 Security Defense
Examples
# Add a local user with the name hello@163.net.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] local-user hello@163.net password cipher helloWorld123
Format
local-user user-name service-type { ftp | ppp | ssh | telnet | web } * undo local-user user-name service-type
Parameters
user-name: specifies the user name, a string of 1 to 64 characters. It supports the wildcard *. ftp: Indicates an FTP user. ppp: Indicates a user accessed in PPP mode. ssh: Indicates an SSH user. telnet: Indicates a Telnet user, generally, the network administrator. web: Indicates a Web authentication user.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, all access types are available for local users.
Examples
# Set the local user hello@163.net to access through SSH.
3-220 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Format
local-user user-name state { active | block }
Parameters
user-name: specifies the user name, a string of 1 to 64 characters. active: activates the local user and then the Eudemon accepts the authentication request from local user for further processing. block: deactivates the local user and then the Eudemon rejects the authentication request from local user.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
The block command takes effect on the subsequent authentication requests from the user instead of the previous online connections.
Examples
# Activate the local user hello@163.net.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] local-user hello@163.net state active
# Activate all the local users in the domain 163.net, that is, * @163.net.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] local-user *@163.net state active
3 Security Defense
Function
Using the local-user vpn-instance command, you can bind a local user with a VPN instance. Using the undo local-user vpn-instance command, you can cancel the above configuration.
Format
local-user user-name vpn-instance vpn-instance-name undo local-user user-name vpn-instance
Parameters
user-name: Specifies the user name. It is a string of 1 to 64 case insensitive characters. vpn-instance-name: specifies the name of the VPN instance. It is a string of 1 to 31 characters.
Views
AAA view
Default Level
3: Management level
Usage Guidelines
None
Examples
# Bind local user hello with VPN instance test.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] local-user hello vpn-instance test
Format
vlan-batch user access-limit max-number interface interface-type interface-number [ startvlan-id number | domain domain-name ] * undo vlan-batch user access-limit interface interface-type interface-number [ start-vlan-id number | domain domain-name ] *
3-222 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
max-number: specifies the maximum number of the access users. The value is an integer ranging from 1 to 20608. interface-type: specifies the type of an interface. interface-number: specifies the number of an interface. start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094. number: sets the total number of VLANs in a range of 1 to (4094 minus start-vlan-id). domain-name: specifies the name of a domain, a string of 1 to 20 characters.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, there is no limit. Generally, a user account can set up multiple accesses. The access limit to a RADIUS account is determined during the RADIUS authentication while that for a local user account is configured at local. For example, 16 accesses through a VLAN or even more. However, in some PPP mode, you are recommended to set one access to an account only. Be sure to set the number complying with the carrier's configuration. When the local user has set up some connections, the new access limit must be greater than the previous one; otherwise, the setting will fail. If it has to, use the cut access-user command to disconnect some connections to fulfill the modification. The access number that a user can set up is limited by the system capacity, access limitation of the domain where he resides and self access limitation but only the minimum one determines in the end.
Examples
# Set the access limit to 16 for the consecutive 300 VLAN-bind local users with VLAN ID starting from 100.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] vlan-batch user access-limit 16 interface GigabitEthernet 0/0/0.1 100 300 domain lease
3 Security Defense
Function
Using the vlan-batch user acl-number command, you can set an ACL for a batch of VLANbind local users. Using the undo vlan-batch user acl-number command, you can cancel the setting.
Format
vlan-batch user acl-number acl-number interface interface-type interface-number [ startvlan-id number | domain domain-name ] * undo vlan-batch user acl-number interface interface-type interface-number [ start-vlan-id number | domain domain-name ] *
Parameters
acl-number: specifies the number of an ACL, in a range of 2000 to 3999, that is, the basic ACL and advanced ACL are available. interface-type: specifies the type of an interface. interface-number: specifies the number of an interface. start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094. There is no default value. number: sets the total number of VLANs in a range of 1 to (4094 minus start-vlan-id). domain-name: specifies the name of a domain, a string of 1 to 20 characters.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, no ACL is configured.
Examples
# Apply ACL 2010 to the consecutive 300 VLAN-bind local users with VLAN ID starting from 100.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] vlan-batch user acl-number 2010 interface GigabitEthernet 0/0/0.1 100 300 domain lease
3 Security Defense
Function
Using the vlan-batch user idle-cut command, you can enable the idle-cut to a batch of local users in the VLAN mode. Using the undo vlan-batch user idle-cut command, you can disable the function.
Format
vlan-batch user idle-cut interface interface-type interface-number [ start-vlan-id number | domain domain-name ] * undo vlan-batch user idle-cut interface interface-type interface-number [ start-vlan-id number ] [ domain domain-name ]
Parameters
interface-type: specifies the type of an interface. interface-number: specifies the number of an interface. start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094. number: specifies the total number of users in a range of 1 to (4094 minus start-vlan-id). domain-name: specifies the name of a domain, a string of 1 to 20 characters.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, this function is disabled.
Examples
# Enable the idle-cut to the consecutive 300 VLAN-bind local users with VLAN ID starting from 100.
<Eudemon> system-view [Eudemon] aaa [Eudemon-aaa] vlan-batch user idle-cut interface GigabitEthernet 0/0/0.1 100 300 domain lease
3 Security Defense
Using the undo vlan-batch user interface command, you can delete a batch of VLAN user accounts.
Format
vlan-batch user interface interface-type interface-number [ start-vlan-id number | domain domain-name | password password ] * undo vlan-batch user interface interface-type interface-number [ start-vlan-id number | domain domain-name | password password ] *
Parameters
interface-type: specifies the type of an interface. interface-number: specifies the number of an interface. start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094. number: specifies the total number of users in a range of 1 to (4094 minutes start-vlan-id). domain-name: specifies the name of a domain, a string of 1 to 20 characters. password: specifies the password, a string of 1 to 16 characters in the simple text, case sensitive, excluding such special characters of command lines as space and question mark.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
The user name is generated by the system so only the account is needed in the binding authentication of the VLAN access mode. The system supports up to 1000 users. Using this command, you can set multiple consecutive VLAN user accounts, which are the same as the original account generated by using the local-user command. To delete a local user, there must be no access to the user. In this case, use the local-user state block command to block the user to reject the subsequent authentication requests. Then execute the cut access-user username local command to disconnect all his connections.
Examples
# Add 300 VLAN-bind users with VLAN ID starting from 100 to the domain lease and the password is vlan.
<Eudemon> system-view [Eudemon] aaa
3-226
Issue 03 (2009-06-18)
3 Security Defense
[Eudemon-aaa] vlan-batch user interface GigabitEthernet 0/0/0.1 100 300 domain lease password vlan
Format
vlan-batch user service-type { ftp | ppp | ssh | telnet } * interface interface-type interfacenumber [ start-vlan-id number ] [ domain domain-name ] undo vlan-batch user service-type interface interface-type interface-number [ start-vlan-id number ] [ domain domain-name ]
Parameters
ftp: indicates FTP users. ppp: indicates PPP users. ssh: indicates SSH users. telnet: indicates Telnet users, who are usually network administrators. interface-type: specifies the type of an interface. interface-number: specifies the number of an interface. start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094. number: specifies the total number of users in a range of 1 to (4094 minus the start-vlan-id). domain-name: specifies the name of a domain. It is a string of 1 to 20 characters.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, all access types are available for local users.
Examples
# Configure the Telnet service to the consecutive 300 VLAN-bind local users with the VLAN ID starting from 100.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-227
3 Security Defense
Format
vlan-batch user state { active | block } interface interface-type interface-number [ start-vlanid number | domain domain-name ] *
Parameters
active: activates a batch of local users and then the Eudemon accepts the authentication requests from them for further processing. block: deactivates a batch of local users and then the Eudemon rejects the authentication requests from them. interface-type: specifies the type of an interface. interface-number: specifies the number of an interface. start-vlan-id: specifies the starting VLAN ID in a range of 1 to 4094. number: specifies the total number of users in a range of 1 to (4094 minus start-vlan-id). domain-name: specifies the name of a domain, a string of 1 to 20 characters.
Views
AAA view
Default Level
2: Configuration level
Usage Guidelines
By default, local users are in the active state. The block command takes effect on the subsequent authentication requests from the users instead of the previous online connections.
Examples
# Deactivate the consecutive 300 VLAN-bind local users with the VLAN ID starting from 100.
<Eudemon> system-view [Eudemon] aaa
3-228
Issue 03 (2009-06-18)
3 Security Defense
[Eudemon-aaa] vlan-batch user state block interface GigabitEthernet 0/0/0.1 100 300 domain lease
Issue 03 (2009-06-18)
3-229
3 Security Defense
Format
allow l2tp virtual-template virtual-template-number remote remote-name undo allow
Parameters
virtual-template-number: specifies virtual template module on creating new virtual access interface, an integer in a range of 0 to 1023. remote-name: specifies the name of the peer end of the tunnel initiating connection request, case sensitive, a string of 1 to 30 characters.
Views
L2TP group view
Default Level
2: Configuration level
Usage Guidelines
By default, receiving call is disabled. This command is used on LNS port. On using L2TP group number1 (the default L2TP group number), the name of the peer end of the tunnel remote-name can be unspecified. The format of the command in group 1 configuration mode is as follows: allow l2tp virtual-template virtual-template-number [ remote remotename ]. If the peer end name is still specified in L2TP group 1 configuration mode, L2TP group 1 is not served as the default L2TP group. In order to receive the tunnel connection request sent by this kind of nameless peer end, or for test application, a default L2TP group can be configured. For example, regarding Windows 2000 beta 2 version, the local name connected with VPN is NONE, so the peer end name that the Eudemon receives is NONE. The allow l2tp command is used on LNS side. If the peer end name of the tunnel is configured, the name of the peer end of the tunnel should keep accordance with the name of the local end configured on LAC side.
Examples
# Receive L2TP tunnel connection request sent by LAC, the peer end of AS8010, and create virtual access interface on virtual-template 1.
<Eudemon> system-view [Eudemon] l2tp-group 2 [Eudemon-l2tp2] allow l2tp virtual-template 1 remote AS8010
# Make L2TP group 1 as the default L2TP group, receive L2TP tunnel connection request sent by any peer end, and create virtual access interface according to virtual template 1.
<Eudemon> system-view [Eudemon] l2tp-group 1 [Eudemon-l2tp1] allow l2tp virtual-template 1
3-230
Issue 03 (2009-06-18)
3 Security Defense
Format
pppoe-server bind virtual-template virtual-template-number undo pppoe-server bind
Parameters
virtual-template-number: indicates the number of the virtual interface template. The value is an integer ranging from 0 to 1023.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Bind the virtual-template 1 from GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] pppoe-server bind virtual-template 1
Format
debugging l2tp { all | control | dump | error | event | hidden | payload | timestamp } undo debugging l2tp { all | control | dump | error | event | hidden | payload | timestamp }
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-231
3 Security Defense
Parameters
all: enables all the L2TP information debugging. control: enables control packet debugging. dump: enables PPP packet debugging. error: enables error debugging. event: enables event debugging. hidden: enables hidden AVP start debugging. payload: enables L2TP data packet debugging. timestamp: enables display time stamp debugging.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Enable L2TP data packet debugging.
<Eudemon> debugging l2tp payload
Format
display l2tp session
Parameters
None
Views
All views
3-232 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
1: Monitoring level
Usage Guidelines
The output information of the command helps the user to confirm the current L2TP session.
Examples
# Display the current L2TP session.
<Eudemon> display l2tp session LocalSID RemoteSID LocalTID 112 Total session = 1
Table 3-9 shows the description of the display l2tp session command output. Table 3-9 Description of the display l2tp session command output Item Total session LocalSID RemoteSID LocalTID Description Number of sessions The number uniquely identifying the local session The number uniquely identifying the peer session Local ID number of the tunnel
Format
display l2tp tunnel
Parameters
None
Views
All views
Default Level
1: Monitoring level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-233
3 Security Defense
Usage Guidelines
The output information of the command helps the user to confirm the current L2TP tunnel.
Examples
# Display the current L2TP tunnel.
<Eudemon> display l2tp tunnel LocalTID RemoteTID RemoteAddress 1 8 172.168.10.2 Total tunnels = 1 Port 1701 Sessions RemoteName 1 AS80101
Table 3-10 shows the description of the display l2tp tunnel command output. Table 3-10 Description of the display l2tp tunnel command output Item Total tunnels LocalTID RemoteTID Remote Address Port Sesssions Remote Name Description Number of L2TP tunnels The number uniquely identifying the local tunnel The number uniquely identifying the peer tunnel IP address of the peer end Port number of the peer end Number of sessions on the tunnel Name of the peer end
Format
interface virtual-template virtual-template-number undo interface virtual-template virtual-template-number
Parameters
virtual-template-number: specifies the number of virtual template, an integer in a range of 0 to 1023.
Views
System view
3-234 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, there is no virtual template interface in the system. The virtual template interface aims to set the parameters for such virtual interfaces as L2TP logic interface, which the system sets dynamically during operation.
Examples
# Set and enter virtual template interface 1.
<Eudemon> system-view [Eudemon] interface virtual-template 1
Format
l2tp domain suffix-separator separator undo l2tp domain suffix-separator separator
Parameters
suffix-separator: refers to suffix delimiter, such as vpdnuser@huawei.com. separator: identifies domain name delimiter. The valid domain name is "@".
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, domain name delimiter does not exist. The l2tp domain suffix-separator command is used to specify one or more suffix delimiters, based on the first successful delimiter. Domain name can be separated from username by domain name delimiter. In this case, the domain name specified by the start l2tp command can be used on L2TP to search for such domain name. If there is such domain name, it refers to the user is a VPN user, and needs to establish VPN tunnel connection with the LNS of the user.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-235
3 Security Defense
Examples
# Specify the domain name as a suffix, separated from the username by "@".
<Eudemon> system-view [Eudemon] l2tp domain suffix-separator @
Format
l2tp enable undo l2tp enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, L2TP is disabled. The L2TP VPN service is carried out only when L2TP is enabled.
Examples
# Enable L2TP on the Eudemon.
<Eudemon> system-view [Eudemon] l2tp enable
3 Security Defense
Format
l2tp up-down log enable undo l2tp up-down log enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
This command is used to set whether the logs need to be sent when the L2TP users get online or offline. By default, the logs do not need to be sent when the L2TP users get online or offline.
Examples
# Set the logs that need to be sent when the L2TP users get online or offline.
<Eudemon> system-view [Eudemon] l2tp up-down log enable
3.21.10 l2tp-group
Function
Using the l2tp-group command, you can create an L2TP group. Using the undo l2tp-group command, you can delete an L2TP group.
Format
l2tp-group group-number undo l2tp-group group-number
Parameters
group-number: specifies the number of L2TP group, an integer in a range of 1 to 1000.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-237
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, the L2TP group is not created. The l2tp-group command is used to create a L2TP group (L2TP group 1 can be the default L2TP group). After an L2TP group is deleted by using the undo l2tp-group command, the entire configuration is deleted.
Examples
# Create L2TP group 2 and enter the L2TP group 2 view.
<Eudemon> system-view [Eudemon] l2tp-group 2 [Eudemon-l2tp2]
3.21.11 mandatory-chap
Function
Using the mandatory-chap command, you can force LNS to carry out Challenge-Handshake Authentication Protocol (CHAP) authentication again with the client. Using the undo mandatory-chap command, you can delete Challenge-Handshake Authentication Protocol (CHAP) authentication between LNS and the client.
Format
mandatory-chap undo mandatory-chap
Parameters
None
Views
L2TP group view
Default Level
2: Configuration level
Usage Guidelines
By default, CHAP re-authentication is not performed. If the mandatory-chap command is used, the authentication will be performed twice to client : one is performed on access server, and another is performed on LNS side. Some PPP clients
3-238 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
may not support the second authentication. In this case, CHAP authentication of the local end will fail.
Examples
# Force to perform CHAP authentication.
<Eudemon> system-view [Eudemon] l2tp-group 1 [Eudemon-l2tp1] mandatory-chap
3.21.12 mandatory-lcp
Function
Using the mandatory-lcp command, you can renegotiate the Link Control Protocol (LCP) between LNS and the client. Using the undo mandatory-lcp command, you can disable LCP renegotiation.
Format
mandatory-lcp undo mandatory-lcp
Parameters
None
Views
L2TP group view
Default Level
2: Configuration level
Usage Guidelines
By default, LCP is not renegotiated. Concerning NAS-Initialized VPN client, PPP negotiation will be first performed with NAS (Network Access Server) at the beginning of a PPP session. If the negotiation is passed, the tunnel connection will be initiated by the access server and transmit the information collected on negotiation with the client to LNS. LNS will judge whether the user is legal or not according to received agent authentication information. If LCP is renegotiated and authentication method is not set in the port, the client accept one authentication by LAC. If LCP is renegotiated and authentication method is set in the port, the client accept two authentication by LAC and LNS. If some PPP clients do not support LCP renegotiation, LCP renegotiation will fail.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-239
3 Security Defense
Examples
# Enable LCP renegotiation.
<Eudemon> system-view [Eudemon] l2tp-group 1 [Eudemon-l2tp1] mandatory-lcp
Format
reset l2tp tunnel local-id local-id
Parameters
local-id: specifies the local ID of the tunnel. It is an integer in the range from 1 to 8191.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
The reset l2tp tunnel local-id command is used to clear a tunnel connection compulsorily. When the peer end user calls in again, the tunnel connection can be re-established.
Examples
# Release the tunnel connection numbered as 10.
<Eudemon> reset l2tp tunnel local-id 10
Format
reset l2tp tunnel peer-name peer-name
3-240 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
peer-name: specifies name of the peer end of the tunnel, a string of 1 to 30.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
The reset l2tp tunnel peer-name command is used to clear a tunnel connection compulsorily. When the peer end user calls in again, the tunnel connection can be re-established. If no eligible tunnel connection exists, the current tunnel connection is not affected. If multiple eligible tunnel connections with the same name and different IP addresses exist, all eligible tunnel connections are released.
Examples
# Reset the tunnel connection of the peer end named AS8010.
<Eudemon> reset l2tp tunnel peer-name AS8010
Format
start l2tp { ip ip-address } &<1-5> { domain domain-name | fullusername user-name } undo start
Parameters
ip ip-address: assigns the IP address of the peer end of the tunnel (LNS), five of which can be set at most, forming backup LNS to each other. domain domain-name: specifies domain name of triggering connection request, case sensitive, a string of 1 to 20 characters. fullusername user-name: specifies full username of triggering connection request, case sensitive, a string of 1 to 64 characters.
Views
L2TP group view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-241
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
This command is used on LAC port. This command is used to specify the IP address of LNS and to support various triggering connection request:
l
Initiating tunnel connection request according to the user's domain name. For example, if the domain name of the user's company is huawei.com, the user with domain name of huawei.com can be specified as a VPN user. Specifying the user as a VPN user through full username directly.
If it is found to be a VPN user, the local end (LAC) will send L2TP tunnel connection request to a certain LNS according to the configured LNS sequence. After receiving response is got from LNS, the LNS will serve as the peer end of the tunnel. Otherwise, LAC will send tunnel connection request to the next LNS.
NOTE
When multiple LNSs are configured, the LAC may time out after accessing a PPP user. This causes the failure to set up an L2TP tunnel. This problem can be solved through the increased PPP negotiation time.
Conflicts may exist between these VPN user judgment ways. For example, LNS address specified according to full username is 1.1.1.1, while that according to domain name is 1.1.1.2. In this case, the sequence for search users is necessary to be specified. The search sequence is: First check according to the full username whether there is a L2TP group specified by the username; if the answer is no, then search according to domain name.
Examples
# Judge VPN users according to domain name huawei.com with the corresponding IP address of the L2TP access server of the headquarters being 202.38.168.1.
<Eudemon> system-view [Eudemon] l2tp-group 1 [Eudemon-l2tp1] start l2tp ip 202.38.168.1 domain huawei.com
Format
timer hold seconds undo timer hold
Parameters
seconds: specifies the value of the polling interval. The value ranges from 0 to 32767 in seconds. 0 indicates that the link detection is disabled.
3-242 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the polling interval of the link layer protocol applied on the interface is 10 seconds. The polling interval of devices on both ends must be consistent.
Examples
# Set the polling interval on GE0/0/1 to 20 seconds.
<Eudemon> system-view [Eudemon] interface Virtual-Template 1 [Eudemon-Virtual-Template1] timer hold 20
Format
tunnel authentication undo tunnel authentication
Parameters
None
Views
L2TP group view
Default Level
2: Configuration level
Usage Guidelines
By default, L2TP tunnel authentication is carried out. In general, authentication needs to be performed on both ends of the tunnel for the sake of security. In case of network consistency test or receiving connection sent by nameless peer end, tunnel authentication is not required.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-243
3 Security Defense
Examples
# Disable authenticating the peer end of the tunnel.
<Eudemon> system-view [Eudemon] l2tp-group 1 [Eudemon-l2tp1] undo tunnel authentication
Format
tunnel avp-hidden undo tunnel avp-hidden
Parameters
None
Views
L2TP group view
Default Level
2: Configuration level
Usage Guidelines
By default, the tunnel transmits AVP data in plain text. Some parameters of L2TP protocol are transmitted by AVP data. If the user demands data of high security, this command can be used to configure AVP data to be transmitted in hidden.
Examples
# Set AVP data to be transmitted in hidden.
<Eudemon> system-view [Eudemon] l2tp-group 1 [Eudemon-l2tp1] tunnel avp-hidden
3 Security Defense
Function
Using the tunnel name command, you can specify the local name of the tunnel. Using the undo tunnel name command, you can restore the local name to the default value.
Format
tunnel name name undo tunnel name
Parameters
name: specifies name of the local name of the tunnel, a string in a range of 1 to 30 characters.
Views
L2TP group view
Default Level
2: Configuration level
Usage Guidelines
By default, the local name is the Eudemon name. On creating a L2TP group, the local name will be initiated into the Eudemon name.
Examples
# Set the local name of the tunnel as "itsme".
<Eudemon> system-view [Eudemon] l2tp-group 1 [Eudemon-l2tp1] tunnel name itsme
Format
tunnel password { simple | cipher } password undo tunnel password
Parameters
simple: refers to password in plain text.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-245
3 Security Defense
cipher: refers to password in cipher text. password: refers to password used on tunnel authentication, a string of 1 to 16 characters in the simple mode or 24 characters in the cipher mode, case sensitive, excluding such special characters of common lines as space and question mark.
Views
L2TP group view
Default Level
2: Configuration level
Usage Guidelines
By default, the password of tunnel authentication is null.
Examples
# Set the password of tunnel authentication as "yougotit", and display it in cipher text.
<Eudemon> system-view [Eudemon] l2tp-group 1 [Eudemon-l2tp1] tunnel password cipher yougotit
Format
tunnel timer hello hello-interval undo tunnel timer hello
Parameters
hello-interval: sets forward time interval of Hello packet when LAC or LNS has no packet to receive. It is an integer in seconds in a range of 60 to 1000.
Views
L2TP group view
Default Level
2: Configuration level
3-246 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
By default, Hello packet is forwarded in every 60 seconds. Different Hello packet time intervals can be configured on LNS and LAC side.
Examples
# Set forwarding time interval of Hello packet to 99 seconds.
<Eudemon> system-view [Eudemon] l2tp-group 1 [Eudemon-l2tp1] tunnel timer hello 99
Format
debugging tunnel undo debugging tunnel
Parameters
None
Views
User view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-247
3 Security Defense
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Enable tunnel information debugging.
<Eudemon> debugging tunnel
3.22.2 destination
Function
Using the destination command, you can specify the filled destination IP address of added IP header by tunnel interface on encapsulation. Using the undo destination command, you can delete the setting.
Format
destination ip-address undo destination
Parameters
ip-address: assigns the IP address of the real physical interface used by the peer end of the tunnel.
Views
Tunnel interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the destination address of the tunnel is not specified in the system. The specified tunnel destination address is the IP address of the real physical interface receiving GRE packet, which should be the same as the source address specified by the tunnel interface of the peer end and the route to the physical interface of the peer end should be ensured reachable. Totally same source address and destination address cannot be configured on two or more tunnel interfaces using the same encapsulation protocol.
3-248 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Create tunnel connection between the interface GigabitEthernet 0/0/0 of the EudemonA (with IP address of 193.101.1.1) and the interface GigabitEthernet 0/0/0 of the EudemonB (with IP address of 192.100.1.1).
<EudemonA> system-view [EudemonA] interface tunnel 0 [EudemonA-Tunnel0] source 193.101.1.1 [EudemonA-Tunnel0] destination 192.100.1.1 <EudemonB> system-view [EudemonB] interface tunnel 0 [EudemonB-Tunnel0] source 192.100.1.1 [EudemonB-Tunnel0] destination 193.101.1.1
Format
display interface tunnel [ number ]
Parameters
number: Eudemon with the integrated structure and displayed in one-dimensional mode. The value is determined by the interface number of the tunnel.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Using the display interface tunnel command, you can view the working status of the tunnel interface, including: Source address, Destination address (the real physical interface address receiving/sending GRE packet), Encapsulation mode, Identification keyword and End-to-end check.
Examples
# Display the current tunnel interface.
<Eudemon> display interface tunnel 0 Tunnel0 current state : UP Line protocol current state : UP Description : HUAWEI, Eudemon Series, Tunnel0 Interface The Maximum Transmit Unit is 1500 bytes Internet Address is 1.1.2.1/24
Issue 03 (2009-06-18)
3-249
3 Security Defense
Table 3-11 shows the description of the display interface tunnel 0 command output. Table 3-11 Description of the display interface tunnel 0 command output Item Tunnel0 current state : UP Line protocol current state : UP Description Eudemon Series Tunnel0 Interface Maximum Transmit Unit Encapsulation loopback Description The physical layer of the tunnel interface is UP. The link layer of the tunnel interface is UP. The description information of the tunnel interface, which is HUAWEI by default. The Eudemon is Quidway series. Tunnel interface number. The size of MTU in the tunnel, which is 1500 bytes in this example. The tunnel formed by encapsulated GRE protocol. Enable or disable Loopback test. Because the tunnel interface does not support Loopback test, disable Loopback is the case in this example. Source address of the tunnel, which is 10.1.1.1 here. Destination address of the tunnel, which is 1.1.1.4 here. Encapsulation protocol and transmission protocol of the tunnel, which is GRE and IP here. Identification keyword of the tunnel interface, which is not specified here. End-to-end check of the tunnel, which is disabled here.
Format
gre checksum
3-250 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
None
Views
Tunnel interface view
Default Level
2: Configuration level
Usage Guidelines
By default, end-to-end check of the two ends of the tunnel is disabled. The two ends of the tunnel can be enabled or disabled checksum according to real application need. If the local end is enabled checksum, with the peer end disabled checksum, the local end will not perform checksum on the received packet, but perform checksum on the transmitted packet. On the contrary, the local end will perform checksum to the packet sent from the peer end, but will not perform checksum on the transmitted packet.
Examples
# Create a tunnel between tunnel 0 interface of the EudemonA and tunnel 2 interface of the EudemonB and set check on both ends of the tunnel.
<EudemonA> system-view [EudemonA] interface tunnel 0 [EudemonA-Tunnel0] gre checksum <EudemonB> system-view [EudemonB] interface tunnel 2 [EudemonB-Tunnel2] gre checksum
Format
gre key key-number undo gre key
Parameters
key-number: specifies an ID keyword for the two ends of the tunnel, an integer in a range of 0 to 4294967295.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-251
3 Security Defense
Views
Tunnel interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the ID keyword of the tunnel is not set in the system. If key-number is set on both ends of the tunnel, the same key-number is required to be specified on both ends, or key-number is set on neither ends.
Examples
# Create a tunnel between the EudemonA and the EudemonB and sets the identification keyword of the tunnel.
<EudemonA> system-view [EudemonA] interface Tunnel 3 [EudemonA-Tunnel3] gre key 123 <EudemonB> system-view [EudemonB] interface Tunnel 2 [EudemonB-Tunnel2] gre key 123
Format
interface tunnel number undo interface tunnel number
Parameters
number: Eudemon indicates the interface number of the tunnel and displayed in one-dimensional mode. It ranges from 0 to 1023.
Views
System view
Default Level
2: Configuration level
3-252 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
By default, there is no tunnel interface in the system. Using the interface tunnel command, you can enters interface view of the specific tunnel. If the tunnel interface is not created, it will be created before entering the interface configuration mode. The interface number of the tunnel is only of local significance. Different interface numbers can be used on both ends of the tunnel.
Examples
# Create the tunnel interface numbered as 0.
<Eudemon> system-view [Eudemon] interface tunnel 0 [Eudemon-Tunnel0]
3.22.7 source
Function
Using the source command, you can assign the source IP address for a Tunnel interface. Using the undo source command, you can cancel the setting.
Format
source { ip-address | interface-type interface-number } undo source
Parameters
ip-address: assigns the IP address of the real interface sending GRE packets. interface-type interface-number: specifies the type and number of an interface.
Views
Tunnel interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the system does not specify the source address of a tunnel. The specified source address is the address of a real interface sending GRE packets. This address needs to be the same as the destination address specified by the peer. Two or more than two Tunnel interfaces with the same encapsulation protocol cannot be configured with the same source address and destination address.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-253
3 Security Defense
Examples
# Configure tunnel 0 on Eudemon. The real outgoing interface of packets is GigabitEthernet 0/0/0 (with the IP address 192.100.1.1).
<Eudemon> system-view [Eudemon] interface Tunnel 0 [Eudemon-Tunnel0] source 192.100.1.1
Format
tunnel-protocol gre undo tunnel-protocol
Parameters
gre: identifies the encapsulation protocol of the tunnel.
Views
Tunnel interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the encapsulation protocol and the transport protocol for the tunnel interface are GRE and IP respectively.
Examples
# Create a tunnel between EudemonA and EudemonB. Set the encapsulation protocol as GRE and transport protocol as IP for the tunnel.
<EudemonA> system-view [EudemonA] interface Tunnel 3 [EudemonA-Tunnel3] tunnel-protocol gre <EudemonB> system-view
3-254
Issue 03 (2009-06-18)
3 Security Defense
3 Security Defense
3.23.30 integrity-algorithm 3.23.31 ipsec pre-check enable 3.23.32 ipsec succeed-check enable 3.23.33 ipsec policy (Interface View) 3.23.34 ipsec policy (System View) 3.23.35 ipsec policy-template 3.23.36 ipsec proposal 3.23.37 ipsec sa global-duration 3.23.38 local-address 3.23.39 local-id-type 3.23.40 nat traversal 3.23.41 pfs 3.23.42 pre-shared-key 3.23.43 proposal 3.23.44 remote-address 3.23.45 remote-name 3.23.46 reset ike sa 3.23.47 reset ipsec sa 3.23.48 reset ipsec statistics 3.23.49 sa authentication-hex 3.23.50 sa binding (IPSec Policy View in manual mode) 3.23.51 sa binding (IKE Peer View) 3.23.52 sa duration (IKE Proposal View) 3.23.53 sa duration (IPSec Policy View or IPSec Policy Template View) 3.23.54 sa encryption-hex 3.23.55 sa reauth duration 3.23.56 sa spi 3.23.57 sa string-key 3.23.58 security acl 3.23.59 speed-limit 3.23.60 transform 3.23.61 tunnel local 3.23.62 tunnel remote
3-256 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
3.23.63 version
3.23.1 ah authentication-algorithm
Function
Using the ah authentication-algorithm command, you can set the authentication algorithm adopted by Authentication Header (AH) protocol in IPSec proposal. Using the undo ah authentication-algorithm command, you can restore the default setting.
Format
ah authentication-algorithm { md5 | sha1 } undo ah authentication-algorithm
Parameters
md5: MD5 algorithm is adopted. sha1: SHA1 algorithm is adopted.
Views
IPSec proposal view
Default Level
2: Configuration level
Usage Guidelines
By default, the md5 authentication algorithm is adopted. AH protocol has no encryption and it only authenticates packets. The Message-Digest Algorithm 5 (MD5) algorithm uses the 128-bit key, and SHA-1 uses the 160-bit key. MD5 is faster than SHA-1 while SHA-1 is securer than MD5. The IPSec proposal adopted by the security policy at both ends of the security tunnel must be set as using the same authentication method.
Examples
# Set the AH protocol to adopt the SHA-1 algorithm during security proposal prop1 configuration.
<Eudemon> system-view [Eudemon] ipsec proposal prop1 [Eudemon-ipsec-proposal-prop1] transform ah [Eudemon-ipsec-proposal-prop1] ah authentication-algorithm sha1
3.23.2 authentication-algorithm
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-257
3 Security Defense
Function
Using the authentication-algorithm command, you can select an authentication algorithm for an IKE proposal. Using the undo authentication-algorithm command, you can restore the default.
Format
authentication-algorithm { md5 | sha1 } undo authentication-algorithm
Parameters
md5: selects the authentication algorithm: MD5. sha1: selects the authentication algorithm: SHA-1.
Views
IKE proposal view
Default Level
2: Configuration level
Usage Guidelines
By default, SHA-1 authentication algorithm is used.
Examples
# Set MD5 as the authentication algorithm for IKE proposal 10.
<Eudemon> system-view [Eudemon] ike proposal 10 [Eudemon-ike-proposal-10] authentication-algorithm md5
3.23.3 authentication-method
Function
Using the authentication-method command, you can set the authentication method for IKE negotiation. Using the undo authentication-method command, you can restore the default authentication method.
Format
authentication-method pre-share undo authentication-method
3-258 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
pre-share: specifies the pre-shared key authentication method.
Views
IKE proposal view
Default Level
2: Configuration level
Usage Guidelines
By default, an IKE proposal uses the pre-shared key authentication method. The pre-share authentication method: you need to configure the peer with the pre-shared key. The peers of a security connection must have identical pre-shared keys.
Examples
# Specify the authentication method for IKE proposal 10 as the pre-shared key authentication.
<Eudemon> system-view [Eudemon] ike proposal 10 [Eudemon-ike-proposal-10] authentication-method pre-share
Format
debugging ike { all | error | exchange | message | misc | transport } undo debugging ike { all | error | exchange | message | misc | transport }
Parameters
all: enables or disables all debugging. error: enables or disables error debugging. exchange: enables or disables IKE exchange-state machine debugging. message: enables or disables IKE message debugging. misc: enables or disables all other IKE dubbing. transport: enables or disables transport debugging.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-259
3 Security Defense
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, IKE debugging is disabled.
Examples
# Enable IKE error information debugging.
<Eudemon> debugging ike error
Format
debugging ikev2 { all | crypto | error | exchange | message | misc } undo debugging ikev2 { all | crypto | error | exchange | message | misc }
Parameters
all: Enables or disables all IKEv2 debugging. crypto: Enables or disables the IKEv2 debugging function for warning information. error: Enables or disables the IKEv2 debugging function for error information. exchange: Enables or disables the IKEv2 debugging function for exchange information. message: Enables or disables the IKEv2 debugging function for message information. misc: Enables or disables the IKEv2 debugging function for miscellaneous information.
Views
User view
Default Level
1: Monitoring level
3-260 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
None
Examples
# Enable the IKEv2 debugging function for error information.
<Eudemon> debugging ikev2 error
Format
debugging ipsec { all | sa | packet [ parameters ip-address protocol spi | policy policy-name [ seq-number ] ] | misc } undo debugging ipsec { all | sa | packet [ parameters ip-address protocol spi | policy policyname [ seq-number ] ] | misc }
Parameters
all: enables all IPSec debugging. sa: displays debugging of a SA. packet: displays debugging of IPSec packets. ip-address: specifies the IP address of the peer. protocol: specifies the security protocol. It can be ah or esp. spi: specifies the security parameter index (SPI). It is an integer that ranges from 256 to 4294967295. policy: displays debugging of IPSec policy. policy-name: specifies the name of IPSec policy group. It is a string in a range of 1 to 15 characters, case sensitive and the characters can be letters or numbers. seq-number: displays debugging of IPSec policy whose sequence number is seq-number in a range of 1 to 10000. If seq-number is not specified, then debugging of all IPSec policies in IPSec policy group are displayed. misc: displays other debugging of IPSec.
Views
User view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-261
3 Security Defense
Default Level
1: Monitoring level
Usage Guidelines
By default, IPSec debugging is disabled.
Examples
# Enable the IPSec SA debugging.
<Eudemon> debugging ipsec sa
3.23.7 dh
Function
Using the dh command, you can set DH key exchange parameters used in stage1 of the IKE negotiation. Using the undo dh command, you can restore the default.
Format
dh { group1 | group2 | group5 } undo dh
Parameters
group1: uses 768-bit Diffie-Hellman group in stage1 of the key negotiation. group2: uses 1024-bit Diffie-Hellman group in stage1 of the key negotiation. group5: uses 1536-bit Diffie-Hellman group in stage1 of the key negotiation.
Views
IKE proposal view
Default Level
2: Configuration level
Usage Guidelines
By default, group1, that is, the 768-bit Diffie-Hellman group is used.
Examples
# Specify 768-bit Diffie-Hellman group for IKE proposal 10.
3-262 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Format
display ike peer [ brief | name peer-name ]
Parameters
brief: displays all the brief information about the IKE peer. peer-name: specifies name of IKE peer, in the format of a string in a range of 1 to 15 characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the authenticator configuration of a specific peer.
<Eudemon> display ike peer --------------------------IKE Peer: b exchange mode: main on phase 1 pre-shared-key: abcde local certificate file name: peer certificate file name: proposal: 10 local id type: ip peer ip address: 202.38.169.1 vpn: authentic ip address: ip pool: peer name: sa binding vpn: nat traversal: disable
Table 3-12 shows the description of the display ike peer command output.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-263
3 Security Defense
Table 3-12 Description of the display ike peer command output Item IKE Peer exchange mode pre-shared-key proposal local id type peer ip address authentic ip address ip pool peer name sa binding vpn nat traversal Description Peer name Negotiation mode ID authenticator configured IKE proposal ID type: Name or IP Peer IP address Trust IP address IP address pool Peer name VPN binding to the SA Enable NAT traversal
Format
display ike proposal
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The IKE proposal is displayed in sequence of the priority.
3-264 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Display the configurations of an IKE proposal.
<Eudemon> display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) -------------------------------------------------------------------23 PRE_SHARED SHA AES_CBC MODP_768 86400 default PRE_SHARED SHA DES_CBC MODP_768 86400
Table 3-13 shows the description of the display ike proposal command output. Table 3-13 Description of the display ike proposal command output Item priority Description Priority of the IKE proposal, represented by integer ranging from 1 to 100. The greater the priority value is, the lower the priority is. Encryption algorithm used by the IKE proposal. Authentication algorithm used by the IKE proposal Authentication method used by the IKE proposal Diffie-Hellman (DH) group ID Duration of ISAKMP SA used by the IKE proposal Default IKE proposal, which is used by default or when all the configured IKE proposals are not matched. Its priority is the lowest.
encryption algorithm authentication algorithm authentication method Diffie-Hellman group sa duration default
Format
display ike sa [ remote remote-address ]
Parameters
remote remote-address: indicates SA information of the specific peer address.
Views
All views
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-265
3 Security Defense
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the current security tunnels established by IKE.
<Eudemon> display ike sa Connection-id peer VPN flag phase doi --------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC 2 202.38.0.2 RD|ST 2 IPSEC flag meaning: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
Table 3-14 shows the description of the display ike sa command output. Table 3-14 Description of the display ike sa command output Item Connection-id Peer flag Description Security channel ID. Remote IP address of this SA. Display the status of this SA:
l l
RD (READY) means this SA has been established successfully. ST (STAYALIVE) means this end is the initiator of the channel negotiation. RL (REPLACED) means that this SA has been replaced by a new one, and will be deleted after a period of time. FD (FADING) means this SA has been soft timeout, but is still in use, and will be deleted at the time of hard timeout. TO (TIMEOUT) means this SA has not received any keepalive packet after the previous keepalive timeout occurred. If this SA still does not receive any keepalive packet till next keepalive timeout occurs, this SA will be deleted.
phase
Phase 1 is to establish security channel for communication. ISAKMP SA will be established in the phase. Phase 2 is to negotiate security services. IPSec SA will be established in the phase.
doi
3 Security Defense
Function
Using the display ipsec policy command, you can view the IPSec policy.
Format
display ipsec policy [ brief | name policy-name [ seq-number ] ]
Parameters
brief: displays all the IPSec policies in brief. name: displays the IPSec policy with the name policy-name and sequence number seqnumber. policy-name: specifies name of an IPSec policy. It is a character string of 1 to 15. seq-number: specifies the sequence number of an IPSec policy. It is an integer in a range of 1 to 10000. If no parameter is specified, then all the IPSec policies are displayed. If the parameter name policy-name is specified but seq-number is not specified, the information about the specified IPSec policy is displayed.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
brief subcommand can be used to display all IPSec policies in brief. Using the brief subcommand, you can quickly view all IPSec policies. Brief information includes:
l l l l l l
Name and sequence number Negotiation mode ACL IKE_peer name Local address Remote address
Other sub-commands are used to display the IPSec policy in detail (refer to the following example).
Examples
# Display all the IPSec policies in brief.
<Eudemon> display ipsec policy brief IPsec-Policy-Name Mode acl ike-peer policy1-100 manual 3001 test-300 isakmp 3000 test Local-Address Remote-Address 150.1.1.1
Issue 03 (2009-06-18)
3-267
3 Security Defense
Table 3-15 shows the description of the display ipsec policy brief command output. Table 3-15 Description of the display ipsec policy brief command output Item IPsec-Policy-Name Mode acl ike-peer Local Address Remote Address Description Name and sequence number of an IPSec policy Negotiation method used by an IPSec policy Access control list used by an IPSec policy IKE peer involved Local IP address Remote IP address
3-268
Issue 03 (2009-06-18)
3 Security Defense
Table 3-16 shows the description of the display ipsec policy command output. Table 3-16 Description of the display ipsec policy command output Item IPSec Policy security data flow Ike-peer name perfect forward secrecy proposal name IPsec sa local duration (time based) IPsec sa local duration (traffic based) inbound/outbound ah/esp setting tunnel local address tunnel remote address Description Name, sequence number and negotiation method of a IPSec policy Access control list used by an IPSec policy IKE peer name used by an IPSec policy Perfect forward secrecy Name of the proposal used by an IPSec policy Time to live (TTL) of the SA (time-based) TTL of the SA (traffic-based) Settings of inbound / outbound direction using AH/ESP, including SPI and key Local IP address Remote IP address
Format
display ipsec policy-template [ brief | name template-name [ seq-number ] ]
Parameters
brief: displays all the IPSec policy templates in brief. name: displays the IPSec policy template with the name template-name and sequence number seq-number. template-name: specifies name of an IPSec policy template. It is a character string of 1 to 15.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-269
3 Security Defense
seq-number: specifies the sequence number of an IPSec policy template. It is an integer in a range of 1 to 10000. If no parameter is specified, then all the IPSec policy templates are displayed in detail. If name template-name is specified but seq-number is not specified, the detailed information about the specified IPSec policy template is displayed.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
brief subcommand is used for showing all the IPSec policy templates quickly and briefly. Brief information includes:
l l l
Examples
# Display all the IPSec policy templates in brief.
<Eudemon> display ipsec policy-template brief Policy-template-Name acl ike-peer -----------------------------------------------------test-tplt300 3002 test-tmp
Table 3-17 shows the description of the display ipsec policy-template brief command output. Table 3-17 Description of the display ipsec policy-template brief command output Item Policy-templateName acl ike-peer Remote Address Description Name, sequence number of an IPSec policy template Access Control List used by an IPSec policy template IKE peer name used by an IPSec policy template Remote IP address
3 Security Defense
Function
Using the display ipsec proposal command, you can view the proposal. If the name of the proposal is not specified, then all the proposals will be shown.
Format
display ipsec proposal [ brief | name proposal-name ]
Parameters
brief: specifies the brief information of the IPsec security proposal. proposal-name: specifies name of the proposal. It is a character string of 1 to 15.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display all the proposals.
<Eudemon> display ipsec proposal IPsec proposal name: prop2 encapsulation mode: tunnel transform: ah-new ah protocol: authentication sha1-hmac-96 IPsec proposal name: prop1 encapsulation mode: tunnel transform: esp-new esp protocol: authentication md5-hmac-96, encryption des
Table 3-18 shows the description of the display ipsec proposal command output. Table 3-18 Description of the display ipsec proposal command output Item IPsec proposal name encapsulation mode transform ah protocol
Issue 03 (2009-06-18)
Description Name of the proposal Modes used by the proposal: tunnel mode Security protocols used by the proposal, including two types: AH and ESP Authentication algorithm used by AH
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-271
3 Security Defense
Format
display ipsec sa [ brief | remote ip-address | policy policy-name [ seq-number ] | duration ]
Parameters
brief: displays all the SAs in brief. remote : displays the SA with remote address as ip-address. ip-address: specifies the remote address of SA in the form of dotted decimal notation. policy: displays the SA in the IPSec policy group whose name is policy-name. policy-name: specifies the name of IPSec policy group. It is a string in a range of 1 to 15 characters, case sensitive and the characters can be letters or numbers. seq-number: specifies the IPSec policy whose sequence number is seq-number in a range of 1 to 10000. If seq-number is not specified, SAs in all IPSec policies in IPSec policy group are displayed. duration: specifies global sa duration of the SA.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The commands with brief can be used to quickly display all the SAs already set up. The commands with remote and policy parameters both display SA in detail. The display mode: partial IPSec policy is shown first and then the SA in this IPSec policy is shown in detail. The command with duration parameter shows the global SA duration of the SA, including "time-based" and "traffic-based" SA duration. Refer to the following examples. If no parameter is specified, information about all SAs.
3-272 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# View the brief information of SA.
<Eudemon> display ipsec sa brief Src Address Dst Address SPI Protocol Algorithm -------------------------------------------------------10.1.1.1 10.1.1.2 300 ESP E:DES; A:HMAC-MD5-96 10.1.1.2 10.1.1.1 400 ESP E:DES; A:HMAC-MD5-96
Table 3-19 shows the description of the display ipsec sa brief command output. Table 3-19 Description of the display ipsec sa brief command output Item Src Address Dst Address SPI Protocol Algorithm Description Local IP address. Remote IP address. Security parameter index. Security protocol used by IPSec, including ESP and AH. The authentication algorithm and encryption algorithm used by the security protocol. A display beginning with "E" in the algorithm stands for the encryption algorithm and a display beginning with "A" stands for the authentication algorithm.
Issue 03 (2009-06-18)
3-273
3 Security Defense
Table 3-20 shows the description of the display ipsec sa command output. Table 3-20 Description of the display ipsec sa command output Item Interface path MTU IPsec policy name sequence number mode connection id encapsulation mode tunnel local tunnel remote inbound proposal sa remaining key duration max received sequencenumber outbound
3-274
Description Interface using IPSec policy. Maximum IP packet length sent from the interface. IPSec policy name Sequence number of the security policy. Negotiation mode of the security policy. Security channel identifier. Modes used by IPSec. Local IP address. Remote IP address. SA information of the inbound end. Proposal used by the IPSec policy. Rest sa duration of SA. Maximum sequence number of the received packets (the antireplay function provided by the security protocol). SA information of the outbound end
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Description Maximum sequence number of the sent packets (the anti-replay function provided by the security protocol)
Format
display ipsec statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display IPSec packet statistics.
<Eudemon> display ipsec statistics the security packet statistics: input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: no enough memory: 0 can't find SA: 0 queue is full: 0 authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 wrong SA: 0
Table 3-21 shows the description of the display ipsec statistics command output.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-275
3 Security Defense
Table 3-21 Description of the display ipsec statistics command output Item input/output security packets input/output security bytes input/output dropped security packets no enough memory Description Input or output packets under the security protection. Input or output bytes under the security protection. Input or output packets under the security protection discarded by the Eudemon. Take statistics of the number of the packets that are discarded because of insufficient memory. Take statistics of the number of the packets that are discarded because the SA cannot be found. Take statistics of the number of the packets that are discarded because the queue is full. Take statistics of the number of the packets that are discarded because authentication fails. Take statistics of the number of the packets that are discarded because of invalid packet length. Take statistics of the number of the packets that are discarded because they are replay packets. Take statistics of the number of the packets that are discarded because the packets are too long. Take statistics of the number of the packets that are discarded because of invalid SA.
can't find SA
invalid length
replay packet
invalid SA
3.23.16 encapsulation-mode
Function
Using the encapsulation-mode command, you can set the encapsulation modes by which IPSec authenticates and encrypts IP packets. Using the undo encapsulation-mode command, you can restore the default setting.
3-276
Issue 03 (2009-06-18)
3 Security Defense
Format
encapsulation-mode transport encapsulation-mode tunnel undo encapsulation-mode
Parameters
transport: encapsulates IP packets using the transport mode. tunnel: encapsulates IP packets using the tunnel mode.
Views
IPSec proposal view
Default Level
2: Configuration level
Usage Guidelines
Encapsulation mode is to use IPSec to encrypt or authenticate IP packets. IPSec protects the whole IP packet, and adds a new IP header to the IP packet. The source and destination addresses of the new IP header are the IP addresses of both ends of the tunnel. The packets encrypted at one Eudemon can only be decrypted at the other Eudemon. Thus, IP packets need to be encapsulated to tunnels. That is, a new IP header is prepended. After being encapsulated to tunnels, IP packets are sent to the other Eudemon. Then, these packets can be decrypted. The proposal used by the IPSec policies set at both ends of the security tunnel must be set as using the same packet encapsulation mode. The transfer mode is a type of encapsulation mode that adopts the IPSec to encrypt or authenticate the transport layer protocol. The IPSec only protects the transmission layer protocol.
Examples
# Set the proposal named prop2 as using the tunnel mode to encapsulate IP packets.
<Eudemon> system-view [Eudemon] ipsec proposal prop2 [Eudemon-ipsec-proposal-prop2] encapsulation-mode tunnel
3.23.17 encryption-algorithm
Function
Using the encryption-algorithm command, you can set the encryption algorithm for an IKE proposal. Using the undo encryption-algorithm command, you can restore the default.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-277
3 Security Defense
Format
encryption-algorithm { des-cbc | 3des-cbc | aes-cbc } undo encryption-algorithm
Parameters
des-cbc: uses the 56-bit Data Encryption Standard (DES) algorithm of CBC mode for encryption. 3des-cbc: uses the 168-bit Triple DES (3DES) algorithm of CBC mode for encryption. aes-cbc: uses the 128-bit Advanced Encryption Standard (AES) algorithm of CBC mode for encryption.
Views
IKE proposal view
Default Level
2: Configuration level
Usage Guidelines
By default, IKE proposals adopt 56-bit DES encryption algorithm.
Examples
# Set 56-bit DES encryption algorithm for IKE proposal 10.
<Eudemon> system-view [Eudemon] ike proposal 10 [Eudemon-ike-proposal-10] encryption-algorithm des-cbc
Format
esp authentication-algorithm { md5 | sha1 } undo esp authentication-algorithm
Parameters
md5: uses the MD5 algorithm with a 128-bit key.
3-278 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
IPSec proposal view
Default Level
2: Configuration level
Usage Guidelines
By default, MD5 algorithm is used. MD5 is faster than SHA1, while SHA1 is securer than MD5. ESP allows authenticating and encrypting packets at the same time, or only authenticating or encrypting packets. Authentication algorithm and encryption method should not be configured as null simultaneously.
CAUTION
The undo esp authentication-algorithm command does not restore the authentication algorithm to the default algorithm. It sets the authentication algorithm to null. In other words, no authentication is performed. If the encryption algorithm is not null, the undo esp authentication-algorithm command takes effect. The proposals used by the security policies set at the both ends of the security tunnel must use the same authentication algorithm.
Examples
# Set a proposal that adopts ESP, and uses SHA1.
<Eudemon> system-view [Eudemon] ipsec proposal prop1 [Eudemon-ipsec-proposal-prop1] transform esp [Eudemon-ipsec-proposal-prop1] esp authentication-algorithm sha1
3 Security Defense
Format
esp encryption-algorithm { 3des | des | aes [ 128 | 192 | 256 ] } undo esp encryption-algorithm
Parameters
des: uses DES encryption algorithm. 3des: uses 3DES encryption algorithm. aes: uses AES encryption algorithm. 128 | 192 | 256: indicates the AES key length of 128 bits/192 bits/256 bits.
Views
IPSec proposal view
Default Level
2: Configuration level
Usage Guidelines
By default, DES algorithm is used. 3DES can meet the requirement of high confidentiality and security, but it is comparatively slow. And DES can satisfy the normal security requirements. ESP allows authenticating and encrypting packets at the same time, or only authenticating or encrypting packets. The encryption algorithm and the authentication algorithm of the ESP protocol cannot be null at the same time. If the authentication algorithm is not null, the undo esp encryptionalgorithm command takes effect.
Examples
# Set proposal prop1 to adopt ESP and use 3DES.
<Eudemon> system-view [Eudemon] ipsec proposal prop1 [Eudemon-ipsec-proposal-prop1] transform esp [Eudemon-ipsec-proposal-prop1] esp encryption-algorithm 3des
3.23.20 exchange-mode
Function
Using the exchange-mode command, you can set IKE negotiation mode. Using the undo exchange-mode command, you can restore the default setting.
3-280 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Format
exchange-mode { aggressive | main } undo exchange-mode
Parameters
aggressive: refers to aggressive mode used in IKE negotiation. main: refers to main mode used in IKE negotiation.
Views
IKE Peer view
Default Level
2: Configuration level
Usage Guidelines
By default, main mode is adopted in IKE negotiation.
Examples
# Configure IKE to negotiate in aggressive mode.
<Eudemon> system-view [Eudemon] ike peer mypeer [Eudemon-ike-peer-mypeer] exchange-mode aggressive
3.23.21
Function
Using the ike dpd command, you can configure the dead peer detection (DPD) function. Using the undo ike dpd command, you can cancel the above configuration.
Format
ike dpd [ interval | on-demand ] check-interval [ retry-interval ] undo ike dpd
Parameters
interval: Indicates that the DPD function works in polling mode. on-demand: Indicates that the DPD function works in traffic-triggering mode. check-interval: Specifies the interval of transmitting DPD packets. It is an integer that ranges from 10 to 3600, in seconds. retry-interval: Specifies the interval of timeout retransmission of DPD packets. It is an integer that ranges from 2 to 60, in seconds.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-281
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Note that:
l
If you select the interval parameter, it indicates that the DPD works in polling mode, and a DPD packet is sent before a packet is sent. on-demand being configured indicates that the DPD function is in traffic-triggering mode and sends the DPD packet only when there is no traffic in the tunnel. If interval or on-demand is not specified, the DPD function is in traffic-triggering mode by default. If retry-interval is not configured, the interval for retransmitting the DPD packet is three seconds.
The ike dpd command and the 3.23.27 ike sa nat-keepalive-timer interval command are both used for checking whether the device on the peer side of the tunnel works properly. The ike dpd command saves bandwidth, because the command sends the checking packet before a packet is sent or when no packets are in the tunnel, instead of sending checking packets periodically.
Examples
# Configure the DPD function. The DPD function works in traffic-triggering mode, the interval of transmitting DPD packets is 30 seconds, and the interval of timeout retransmission of DPD packets is 5 seconds.
<Eudemon> system-view [Eudemon] ike dpd on-demand 30 5
Format
ike local-name router-name undo ike local-name
Parameters
router-name: specifies the ID of the local Eudemon. It is a string in a range of 1 to 15 characters.
3-282 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Set the local device ID during IKE negotiation.
Examples
# Set the ID of the local Eudemon as test.
<Eudemon> system-view [Eudemon] ike local-name test
Format
ike peer peer-name undo ike peer peer-name
Parameters
peer-name: sets an IKE peer name with 1 to 15 characters.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Using this command in system view, you can enter IKE peer view. In the view, you can set parameters for the IKE peer such as negotiation mode, ID type, NAT, shared key, peer address and peer name.
Examples
# Set an IKE peer named mypeer.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-283
3 Security Defense
<Eudemon> system-view [Eudemon] ike peer mypeer [Eudemon-ike-peer-mypeer]
Format
ike proposal proposal-number undo ike proposal proposal-number
Parameters
proposal-number: specifies the priority level of an IKE proposal with an integer in a range of 1 to 100. The smaller the value is, the higher the priority level is.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, the system provides a default IKE proposal with the lowest priority. Using this command in system view, you can enter IKE proposal view and define parameters, including authentication method, encryption algorithm, authentication algorithm, DH group ID and sa duration, for the IKE proposal by using authentication-method, encryptionalgorithm, dh, authentication-algorithm, and sa duration (IKE proposal view). For the default proposal, there are default parameters shown as follows: Encryption algorithm: DES-CBC Authentication algorithm: HMAC-SHA1 Authentication method: Pre-Shared Key DH group ID: MODP_768 SA duration and: 86400 seconds These parameters will be used to establish a security channel once they are confirmed by the both sides of the negotiation. The configured IKE proposal will be used to establish a security channel. After running the ike proposal command, you can enter the IKE proposal view and configure parameters.
3-284 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Each side performing IKE negotiation can be configured with multiple IKE proposals. During IKE negotiation, the same proposal is configured to both sides of the negotiation. The matching rule is that both sides of the negotiation have the same encryption algorithm, authentication algorithm, authentication method, and DH group ID. SA duration is determined by the two negotiation end and needs not to be the same at both sides. When main mode is adopted in IKE negotiation:
l
If the IKE proposal is specified in the ike peer of the negotiation initiator, only the specified proposal is sent during IKE negotiation. Then, the response side searches in its IKE proposal configuration for the IKE proposal that matches the specified IKE proposal. If no matching proposal exists, the negotiation fails. If no IKE proposal is specified in the ike peer of the negotiation initiator, all IKE proposals of the initiator are sent during IKE negotiation. Then, the response side searches in its IKE proposal configuration for the IKE proposal that matches the IKE proposal of the initiator.
If the IKE proposal is specified in the ike peer of the negotiation initiator, the negotiation process is the same as main mode. If no IKE proposal is specified in the ike peer of the negotiation initiator, only the default IKE proposal of the initiator is sent during IKE negotiation. The response side uses the default IKE proposal to match the default IKE proposal of the initiator.
Examples
# Define IKE proposal 10.
<Eudemon> system-view [Eudemon] ike proposal 10 [Eudemon-ike-proposal-10] authentication-algorithm md5 [Eudemon-ike-proposal-10] authentication-method pre-share [Eudemon-ike-proposal-10] sa duration 5000
Format
ike sa keepalive-timer interval seconds undo ike sa keepalive-timer interval
Parameters
seconds: sets the interval, at which keepalive packets are sent to the remote end through ISAKMP SA in a range of 30 to 3600 seconds.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-285
3 Security Defense
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, this function is disabled. Set the interval at which keepalive packets are sent to the remote end through ISAKMP SA. IKE maintains the tunnel status of ISAKMP SA through these packets. When the timeout period is set through the ike sa keepalive-timer timeout command at the remote end, the interval for sending keepalive packets needs to be set at the local end. When the remote end does not receive keepalive packets within the configured timeout period, the ISAKMP SA and the negotiated IPSec SA are deleted if this ISAKMP SA is marked with TIMEOUT. Otherwise, this ISAKMP SA is marked with TIMEOUT. Thus, the configured timeout period needs to be longer than the interval for sending Keepalive packets.
Examples
# Set the timeout for the local end to wait for the remote end to send the keepalive packet to 20 seconds.
<Eudemon> system-view [Eudemon] ike sa keepalive-timer interval 20
Format
ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout
Parameters
seconds: specifies the timeout value for ISAKMP SA to wait for the keepalive packet in a range of 30 to 3600 seconds.
Views
System view
3-286 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
By default, this function is disabled. This command is used to set the timeout for waiting for the remote end to send the keepalive packet. IKE maintains the link state of the ISAKMP SA according to the keepalive packet. When no keepalive packet is received from the remote end in the configured timeout, the ISAKMP SA with the TIMEOUT flag and the corresponding IPSec SA will be deleted, and otherwise the ISAKMP SA without the TIMEOUT flag will be marked as TIMEOUT. Thus, the timeout should be set longer than the interval, at which the keepalive packet is sent. Generally, packets will not be lost for more than three consecutive times in the network. So the timeout can be set as three times as the interval set for the remote end, at which keepalive packets are sent.
Examples
# Set the timeout for the local end to wait for the remote end to send the keepalive packet to 20 seconds.
<Eudemon> system-view [Eudemon] ike sa keepalive-timer timeout 20
Format
ike sa nat-keepalive-timer interval seconds undo ike sa nat-keepalive-timer interval
Parameters
seconds: sets the interval at which ISAKMP SA sends NAT update packets, in a range of 5 to 300 seconds. By default, the value is 20 seconds.
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-287
3 Security Defense
Usage Guidelines
None
Examples
# Set the interval at which ISAKMP SA sends NAT update packets to 20 seconds.
<Eudemon> system-view [Eudemon] ike sa nat-keepalive-timer interval 20
3.23.28 ike-peer
Function
Using the ike-peer command, you can use IKE peer in security policy. Using the undo ike-peer command, you can cancel the configuration.
Format
ike-peer peer-name undo ike-peer peer-name
Parameters
peer-name: specifies name of IKE peer, a string in a range of 1 to 15 characters.
Views
IPSec policy view
Default Level
2: Configuration level
Usage Guidelines
This command is only used for SA to set up in isakmp mode. The IP address of the IKE peer configured in an IPSec policy must be a single address while that configured in an IPSec policy template should be an address range.
Examples
# Apply IKE peer named mypeer in security policy.
<Eudemon> system-view [Eudemon] ipsec policy map1 10 isakmp [Eudemon-ipsec-policy-isakmp-map1-10] ike-peer mypeer
3.23.29 ike-proposal
3-288 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Function
Using the ike-proposal command, you can set an IKE proposal used for IKE negotiation. Using the undo ike-proposal command, you can restore the default IKE proposal.
Format
ike-proposal proposal-number undo ike-proposal
Parameters
proposal-number: specifies an IKE proposal used for IKE negotiation in a range of 1 to 100.
Views
IKE Peer view
Default Level
2: Configuration level
Usage Guidelines
By default, the default IKE proposal is used for negotiation in aggressive mode and all local IKE proposals are used in main mode.
Examples
# Use IKE proposal for negotiation.
<Eudemon> system-view [Eudemon] ike peer mypeer [Eudemon-ike-peer-mypeer] ike-proposal 10
3.23.30 integrity-algorithm
Function
Using the integrity-algorithm command, you can set an integrity algorithm to be used in an IKE proposal. Using the undo integrity-algorithm command, you can restore the default setting.
Format
integrity-algorithm { hmac-md5-96 | hmac-sha1-96 | aes-xcbc-96 } undo integrity-algorithm
Parameters
hmac-md5-96: Indicates that the integrity algorithm is HMAC-MD5-96.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-289
3 Security Defense
hmac-sha1-96: Indicates that the integrity algorithm is HMAC-SHA1-96. aes-xcbc-96: Indicates that the integrity algorithm is AES-XCBC-96.
Views
IKE proposal view
Default Level
2: Configuration level
Usage Guidelines
The configuration is valid to only the IKEv2 protocol. By default, the integrity algorithm to be used in an IKE proposal is HMAC-SHA1-96.
Examples
# Set the integrity algorithm to be used in IKE proposal 10 to HMAC-MD5-96.
<Eudemon> system-view [Eudemon] ike proposal 10 [Eudemon-ike-proposal-10] integrity-algorithm hmac-md5-96
Format
ipsec pre-check enable ipsec pre-check disable
Parameters
None
Views
System view
Default Level
2: Configuration level
3-290 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
After you enable the IPSec pre-check function, the system checks the received packets that are in plain text and discards the unencrypted packets when they are supposed to be encrypted.By default ,the IPSec pre-check function is enable.
Examples
# Enable the IPSec pre-check function.
<Eudemon> system-view [Eudemon] ipsec pre-check enable
Format
ipsec succeed-check enable ipsec succeed-check disable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After you enable the IPSec succeed-check function, the system checks the received unencrypted packets that are in plain text and discards the encrypted packets when they are supposed to be unencrypted.default ,the IPSec succeed-check function is enable.
Examples
# Enable the IPSec succeed-check function.
<Eudemon> system-view [Eudemon] ipsec succeed-check enable
Issue 03 (2009-06-18)
3-291
3 Security Defense
Format
ipsec policy policy-name undo ipsec policy policy-name
Parameters
policy-name: specifies the name of an IPSec policy group applied at the interface. The IPSec policy group with name policy-name should be configured in the system view. It is a string in a range of 1 to 15 characters, case sensitive and the characters can be letters or numbers.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
At an interface only one IPSec policy group can be applied. If you want to apply another security group, you must cancel application of the current IPSec policy group. When sending packets from an interface, security policy in security group will be searched and performed matching one by one in ascending number order for packets.
l l l
If an acl quoted by security policy is matched, this acl will be used to process packets. If there is no acl matched, the search for next security policy will continue. If all ACLs quoted by security policy are not matched, the packets will be directly sent (that is, the packets are not protected by IPSec).
Examples
# Apply an IPSec policy group whose name is pg1 at interface GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] ipsec policy pg1
3 Security Defense
Function
Using the ipsec policy command, you can establish or modify an IPSec policy, and enter the IPSec policy view. Using the undo ipsec policy command, you can delete an IPSec policy.
Format
ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ] undo ipsec policy policy-name [ seq-number ]
Parameters
policy-name: specifies name of the IPSec policy. The length of the name is 1 to 15 characters, the name is not case insensitive and the characters can be English letters or numbers excluding "-". seq-number: specifies the sequence number of the IPSec policy. It ranges from 1 to 10000. The smaller the number, the higher the priority. manual: sets up SA manually. isakmp: sets up SA through IKE negotiation. template: specifies that the policy uses a template to establish a SA. The policy-name will quote a template-name which is a policy template. Before this parameter is selected, this templatename should have been created. template-name: specifies name of the template.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Using the undo ipsec policy policy-name command, you can delete an IPSec policy group whose name is policy-name. Using the undo ipsec policy policy-name seq-number command, you can delete an IPSec policy whose name is policy-name and sequence number is seq-number. By default, no IPSec policy exists. To establish an IPSec policy, it is necessary to specify the negotiation mode (manual or isakmp). Once the IPSec policy is established, its negotiation mode cannot be modified. If you do need to change the negotiation mode, you must delete the IPSec policy first, and then specify a different negotiation mode for it when recreating the IPSec policy. Security policies with the same name form a security policy group. A name and sequence number can determine a unique security policy. Up to 10000 security policies can be configured in a security policy group. The smaller seq-number is, the higher the priority is. Applying a security
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-293
3 Security Defense
policy group on an interface is actually equal to applying all security policies in security group. Thus, different SAs can be adopted to protect different data flows. Using the ipsec policy policy-name seq-number isakmp template template-name command, you can establish an IPSec policy according to the template through IKE negotiation. Before using this command, the template should have been created via ipsec policy-template command. During the negotiation and policy matching, the parameters defined in the template should be compliant; the other parameters are decided by the initiator. The response side accepts the proposal of the initiator. For the ACL matching rule configured by the initiator, the source network segment or source host needs to be specified. The parameters proposal, ike-peer and the ACL matching rule are mandatory in the policy template configuration. Other parameters are optional.
NOTE
Using the ipsec policy policy-name seq-number isakmp template template-name command, you can create an IPSec policy by applying the IPSec policy template. The IPSec policy that applies the IPSec policy template should be of the lowest priority in the IPSec policy group.
CAUTION
Note that IKE will not initiate negotiation by using the policy with template parameter but it can use the policy with template parameter to respond the negotiation initiated by the remote.
Examples
# Set an IPSec policy whose name is policy1, sequence number is 100, and negotiation mode is isakmp.
<Eudemon> system-view [Eudemon] ipsec policy policy1 100 isakmp
Format
ipsec policy-template template-name seq-number undo ipsec policy-template template-name [ seq-number ]
Parameters
template-name: specifies name of the IPSec policy. It is a string in a range of 1 to 15 characters, the name is case sensitive and the characters can be English letters or numbers, cannot include "-".
3-294 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
seq-number: specifies sequence number of the IPSec policy in a range of 1 to 10000. In one IPSec policy group, the smaller the sequence number of the IPSec policy, the higher the preference.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Using the undo ipsec policy-template template-name command, you can delete an IPSec policy template group by specifying the template-name. Using the undo ipsec policy-template template-name seq-number command, you can delete an IPSec policy template by specifying the template-name and seq-number. By default, no IPSec policy template exists. Using the ipsec policy policy-name seq-number isakmp template template-name command, you can specify an existing template to define an IPSec policy by specifying the parameter template-name. The parameters for configuring an IPSec policy template are the same with those used for configuring an IPSec policy in the IPSec ISAKMP negotiation mode, including the IPSec proposal referenced, data stream protected, PFS features, duration and ike-peer, in which proposal, ike-peer and the ACL are mandatory while others are optional. In the case that the IPSec policy template is used for matching policies, all the parameters configured must be matched during the IKE negotiation while the other parameters comply with those configured by the initiator.
Examples
# Establish an IPSec policy template with the name template1 and the sequence number 100.
<Eudemon> system-view [Eudemon] ipsec policy-template template1 100
Format
ipsec proposal proposal-name undo ipsec proposal proposal-name
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-295
3 Security Defense
Parameters
proposal-name: specifies name of the specified proposal. The naming rule is: the length of the name is 1 to 15 characters, case insensitive.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By default, no proposal exists. IPSec proposal is a series of measures adopted to implement IPSec, including security protocol, encryption and authentication algorithms, and packet encapsulation mode. During security policy configuration you should quote the proposal to determine security protocol, encryption and authentication algorithms and packet encapsulation mode at both ends of the tunnel. After a new IPSec proposal is established by using the ipsec proposalcommand, the ESP protocol, DES encryption algorithm and MD5 authentication algorithm are adopted by default.
Examples
# Establish a proposal named newprop1.
<Eudemon> system-view [Eudemon] ipsec proposal newprop1
Format
ipsec sa global-duration { time-based seconds | traffic-based kilobytes } undo ipsec sa global-duration { time-based | traffic-based }
Parameters
time-based seconds: specifies time-based global SA duration in second, ranging from 480 to 604800 seconds. By default, the value is 3600 seconds.
3-296 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
traffic-based kilobytes: specifies traffic-based global SA duration in kilobyte, ranging from 8000 to 4194303 kilobytes. By default, the value is 1843200 kilobytes and when the traffic reaches this value, the duration expires.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
When IKE negotiates SA, this command can be used to define a global duration to negotiate with the remote if the adopted security policy has not been configured with its own duration. If the adopted security policy has been configured, the system use the duration of security policy to negotiate with the remote. When IKE negotiates to establish SA for IPSec, the smaller one of the locally configured duration and the duration proposed by the remote will be used. There are two methods to measure the duration: time-based duration and traffic-based duration. Time-based duration is the period that starts from establishment of SA to expiration of SA. Traffic-based duration is the maximum of traffic volume that this SA is permitted to process. If the duration reaches the specified time or traffic volume, the SA will lose effect. Before expiration of SA, IKE will negotiate to establish a new SA for IPSec. Before the new SA is established, the old one will continue functioning. After the new SA is well prepared, it will be used immediately. With the ipsec sa global-duration command, you can change the global SA duration. After the change, the SA that is not configured with duration uses a new global duration. The SA duration does not function for an SA manually set up, that is, the SA manually set up will never be invalidated.
Examples
# Set the global SA duration to 7200 seconds.
<Eudemon> system-view [Eudemon] ipsec sa global-duration time-based 7200
3.23.38 local-address
Function
Using the local-address command, you can configure the originating IP address of the IPSec negotiation packet. Using the undo local-address command, you can delete the originating IP address of the IPSec negotiation packet.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-297
3 Security Defense
Format
local-address ip-address undo local-address
Parameters
ip-address: specifies the IP address of the local peer in the form of dotted decimal notation.
Views
IPSec policy view
Default Level
2: Configuration level
Usage Guidelines
If IPSec and HRP initiate IPSec tunnel using VRRP IP, the command must be configured on the starting end of the IPSec tunnel.
Examples
# Configure the originating IP address of the IPSec negotiation.
<Eudemon> system-view [Eudemon] ipsec policy policy1 2 isakmp [Eudemon-ipsec-policy-isakmp-policy1-2] local-address 1.1.1.1
3.23.39 local-id-type
Function
Using the local-id-type command, you can specify the type of IKE ID. Using the undo local-id-type command, you can restore the default setting.
Format
local-id-type { ip | name | user-name } undo local-id-type
Parameters
ip: specifies the IKE ID in the format of IP address. name: specifies the IKE ID in the name format. user-name: specifies the IKE ID in the user name format.
3-298 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
IKE peer view
Default Level
2: Configuration level
Usage Guidelines
By default, the IKE ID is in the format of IP address.
Examples
# Specify the type of IKE ID as name.
<Eudemon> system-view [Eudemon] ike peer mypeer [Eudemon-ike-peer-mypeer] local-id-type name
Format
nat traversal undo nat traversal
Parameters
None
Views
IKE peer view
Default Level
2: Configuration level
Usage Guidelines
By default, NAT traversal is disabled.
Examples
# Enable NAT traversal.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-299
3 Security Defense
3.23.41 pfs
Function
Using the pfs command, you can set the Perfect Forward Secrecy (PFS) feature when using the IPSec policy to initiate the negotiation. Using the undo pfs command, you can set not to use the PFS feature during the negotiation.
Format
pfs { dh-group1 | dh-group2 | dh-group5 } undo pfs
Parameters
dh-group1: uses the 768-bit Diffie-Hellman group. dh-group2: uses the 1024-bit Diffie-Hellman group. dh-group5: uses the 1536-bit Diffie-Hellman group.
Views
IPSec policy view, IPSec policy template view
Default Level
2: Configuration level
Usage Guidelines
By default, no PFS feature is used. The command is used to perform a PFS exchange when IPSec uses the IPSec policy to initiate a negotiation. An additional key exchange is performed during the phase 2 negotiation so as to enhance the communication safety. The DH group specified by the local and remote ends must be consistent, otherwise the negotiation will fail.
Examples
# Use PFS when negotiating through IPSec policy shanghai 200.
<Eudemon> system-view [Eudemon] ipsec policy shanghai 200 isakmp [Eudemon-ipsec-policy-isakmp-shanghai-200] pfs dh-group1
3.23.42 pre-shared-key
3-300 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Function
Using the pre-shared-key command, you can configure the authenticator for pre-shared key authentication method. Using the undo pre-shared-key command, you can remove the authenticator.
Format
pre-shared-key key undo pre-shared-key
Parameters
key: specifies an authenticator, a string in a range of 1 to 127 characters.
Views
IKE peer view
Default Level
2: Configuration level
Usage Guidelines
Configuring the key of the pre-shared-key authentication mode can improve the security of the IKE coordination. The same authenticator should be configured on both ends of negotiation. If the pre-shared key authentication method is used in a policy, the authenticator must be configured. Otherwise, the policy cannot be used.
Examples
# Configure the authenticator as "abcde" for IKE peer.
<Eudemon> system-view [Eudemon] ike peer mypeer [Eudemon-ike-peer-mypeer] pre-shared-key abcde
3.23.43 proposal
Function
Using the proposal command, you can set the proposal used by the IPSec policy. Using the undo proposal command, you can cancel the proposal used by the IPSec policy.
Format
proposal proposal-name &<1-6> undo proposal [ proposal-name ]
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-301
3 Security Defense
Parameters
proposal-name: specifies name of the proposals adopted. It is a string in a range of 1 to 15 characters.
Views
IPSec policy view, IPSec policy template view
Default Level
2: Configuration level
Usage Guidelines
By default, no proposal is used. Before using this command, the corresponding IPSec proposal must have been configured. If set up in manual mode, an SA can only use one proposal. And if a proposal is already set, it needs to be deleted by using the undo proposal command before a new one can be set. If set up in isakmp mode, an SA can use six proposals at most. IKE negotiation will search for the complete matching proposal at both ends of the security tunnel. If it is the IPSec template, each template can use six proposals at most, and the IKE negotiation will search for the complete matching proposal.
Examples
# Set a proposal with name prop1, adopting ESP and the default algorithm, and set an IPSec policy as using a proposal named prop1.
<Eudemon> system-view [Eudemon] ipsec proposal prop1 [Eudemon-ipsec-proposal-prop1] transform esp [Eudemon-ipsec-proposal-prop1] quit [Eudemon] ipsec policy policy1 100 manual [Eudemon-ipsec-policy-manual-policy1-100] proposal prop1
3.23.44 remote-address
Function
Using the remote-address command, you can configure IKE peer address or address segment. Using the undo remote-address command, you can remove the configuration.
Format
remote-address [ authentication-address ] low-ip-address [ high-ip-address ] undo remote-address
3-302 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
authentication-address: Specifies the peer IP address for NAT penetration based on IP authentication. The IP address is the peer IP address before NAT translation. low ip-address: specifies the starting address on the authenticated end IP address segment, in dotted decimal format. high ip-address: specifies the ending address on the authenticated end IP address segment, in dotted decimal format.
Views
IKE peer view
Default Level
2: Configuration level
Usage Guidelines
If no high-ip-address is specified during configuration, only one address is configured for IKE peer. If the peer address is configured to an address segment, the IKE peer can be used only by the policy template of IPSec.
Examples
# Configure the peer address to 202.38.0.1.
<Eudemon> system-view [Eudemon] ike peer mypeer [Eudemon-ike-peer-mypeer] remote-address 202.38.0.1
3.23.45 remote-name
Function
Using the remote-name command, you can specify the name for IKE peer in aggressive mode. Using the undo remote-name command, you can remove the configuration.
Format
remote-name name undo remote-name
Parameters
name: specifies the peer name, a string in a range of 1 to 15 characters.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-303
3 Security Defense
Views
IKE Peer view
Default Level
2: Configuration level
Usage Guidelines
You need to configure the peer name if you use the name authentication mode in aggressive mode.
Examples
# Specify the name of IKE peer as remotepeer.
<Eudemon> system-view [Eudemon] ike peer mypeer [Eudemon-ike-peer-mypeer] exchange-mode aggressive [Eudemon-ike-peer-mypeer] remote-name remotepeer
Format
reset ike sa [ connection-id ]
Parameters
connection-id: specifies the connection ID of the SA to be deleted. It is an integer, in a range of 1 to 4294967294. If this parameter is not specified, all the SAs at phase 1 will be deleted.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
CAUTION
If the SA at phase 1 is deleted first, the remote end cannot be informed of clearing the SA database when the SA at phase 2 is deleted.
3-304
Issue 03 (2009-06-18)
3 Security Defense
IKE uses ISAKMP in two phases: IKE SA is established at phase 1, that is, ISAKMP SA; at phase 2, the established ISAKMP SA is used to negotiate to decide a specified SA for IPSec, that is, to establish IPSec SA. If ISAKMP SA at phase 1 exists when delete the local security tunnel, a Delete Message notification is sent to the remote under the protection of this security tunnel to notify the remote to delete the SA database. If connection-idis not specified, all the SAs at phase 1 will be deleted.
Examples
# Delete the security tunnel to 202.38.0.2.
<Eudemon> display ike sa connection-id peer flag phase doi ---------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC 2 202.38.0.2 RD|ST 2 IPSEC flag meaning: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT <Eudemon> reset ike sa 2 <Eudemon> display ike sa connection-id peer flag phase doi 1 202.38.0.2 RD|ST 1 IPSEC flag meaning: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
Format
reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters destinationaddress protocol spi ]
Parameters
remote ip-address: specifies a remote address, in dotted decimal format. ip-address: specifies a peer IP address, in dotted decimal format. policy: specifies the IPSec policy. policy-name: specifies the name of the IPSec policy. The naming rule is as follows: length is 1 to 15 characters, case sensitive, and the character can be letter or number. seq-number: specifies the serial number of the IPSec policy ranging from 1 to 10000. If no seqnumber is specified, the IPSec policy refers to all the policies in the IPSec policy group named policy-name. parameters: defines a Security Association (SA) by the destination address, security protocol and SPI. destination-address: specifies the destination address in the dotted decimal IP address format.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-305
3 Security Defense
protocol: specifies the security protocol, case insensitive. ah refers to the Authentication Header protocol and esp refers to Encapsulation Security Protocol. spi: Specifies the security parameter index (SPI), in a range of 256 to 4294967295.
Views
User view
Default Level
2: Configuration level
Usage Guidelines
If no parameter (remote, policy, parameters) is specified, all the SAs will be deleted. An SA is uniquely identified by the destination address, security protocol, and SPI. The SA can be manually established or established through IKE negotiation. After deleting a manually established SA, the system automatically establishes a new SA according to the corresponding manual security policy. After the SA established through IKE negotiation is deleted, a new SA is established through IKE re-negotiation if a packet re-trigger negotiation. If the keyword of parameters is specified, the SA in the other direction is also deleted after the SA in one direction is deleted because the SA appears in pairs. That is, specifying the keyword parameters deletes a pair of SAs simultaneously.
Examples
# Delete all the SAs.
<Eudemon> reset ipsec sa
# Delete the SA of the IPSec policy with the name policy1 and the serial number 10.
<Eudemon> reset ipsec sa policy policy1 10
# Delete an SA whose remote IP address is 10.1.1.2, security protocol is AH, and SPI is 10000
<Eudemon> reset ipsec sa parameters 10.1.1.2 ah 10000
3 Security Defense
Function
Using the reset ipsec statistics command, you can clear IPSec message statistics, and set all the statistics to zero.
Format
reset ipsec statistics
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
When you debug the IPSec function, clear the IPSec statistics first.
Examples
# Clear IPSec message statistics.
<Eudemon> reset ipsec statistics
3.23.49 sa authentication-hex
Function
Using the sa authentication-hex command, you can set the SA authentication key manually for the IPSec policy of manual mode. Using the undo sa authentication-hex command, you can delete the SA authentication key already set.
Format
sa authentication-hex { inbound | outbound } { ah | esp } hex-key undo sa authentication-hex { inbound | outbound } { ah | esp }
Parameters
inbound: sets the inbound SA parameter. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: sets the outbound SA parameter. IPSec uses the outbound SA for processing the packet in the outbound direction (sent).
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-307
3 Security Defense
ah: sets the parameter of the SA using AH. If the IPSec proposal used by the IPSec policy adopts AH, the ah key word is used to set the parameter of the SA. esp: sets the parameter of the SA using ESP. If the IPSec proposal used by the IPSec policy adopts ESP, the esp key word is used to set the parameter of the SA. hex-key: specifies key for the SA input in the hex format. If MD5 is used, then input a 16-byte key; if SHA1 is used, input a 20-byte key.
Views
IPSec policy view in manual mode
Default Level
2: Configuration level
Usage Guidelines
This command is only used for security policy in manual mode. For the IPSec policy in isakmp mode, it is unnecessary to set the SA parameter manually. IKE will automatically negotiate the SA parameter and establish an SA. When setting the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. There are two methods for inputting the key: hex and character string. To input the key in character string form, command sa string-key should be used. If you input a key in two ways, the last set one will be adopted. At both ends of a security tunnel, the key should be input by the same method. If the key is input in character string form on one end, and in hex form on the other end, the tunnel configuration fails.
Examples
# Set SPI of the inbound SA to 10000, key to 0x112233445566778899aabbccddeeff00; set the SPI of the outbound SA to 20000, and its key to 0xaabbccddeeff001100aabbccddeeff00 in the IPSec policy using AH and MD5.
<Eudemon> system-view [Eudemon] ipsec proposal prop_ah [Eudemon-ipsec-proposal-prop_ah] transform ah [Eudemon-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [Eudemon-ipsec-proposal-prop_ah] quit [Eudemon] ipsec policy tianjin 100 manual [Eudemon-ipsec-policy-manual-tianjin-100] proposal prop_ah [Eudemon-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [Eudemon-ipsec-policy-manual-tianjin-100] sa authentication-hex inbound ah 112233445566778899aabbccddeeff00 [Eudemon-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000 [Eudemon-ipsec-policy-manual-tianjin-100] sa authentication-hex outbound ah aabbccddeeff001100aabbccddeeff00
3 Security Defense
Function
Using the sa binding command, you can bind the SA to the VPN instance. Using the undo sa binding command, you can cancel the bind between the SA and the VPN instance.
Format
sa binding vpn-instance vpn-instance-name zone zone-name undo sa binding vpn-instance vpn-instance-name
Parameters
vpn-instance-name: specifies a VPN instance name that is to be bound with the SA. zone-name: specifies the name of the security zone.
Views
IPSec Policy View in manual mode
Default Level
2: Configuration level
Usage Guidelines
To configure the IPSec of multiple instances, if you create a security policy in manual mode, you need to run the sa binding vpn-instance command in the IPSec policy view to specify the VPN instance bound to the IPSec tunnel.
Examples
# Bind VPN instance "vpna" with SA.
<Eudemon> system-view [Eudemon] ipsec policy test 10 manual [Eudemon-ipsec-policy-test-10] sa binding vpn-instance vpna zone trust
Format
sa binding vpn-instance vpn-instance-name zone zone-name undo sa binding vpn-instance vpn-instance-name
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-309
3 Security Defense
Parameters
vpn-instance-name: specifies a VPN instance name that is to be bound with the SA. zone-name: specifies the name of the security zone.
Views
IKE Peer View
Default Level
2: Configuration level
Usage Guidelines
To configure the IPSec of multiple instances, if you create a security policy in isakmp mode, you need to run the sa binding vpn-instance command in the IKE Peer view to specify the VPN instance bound to the IPSec tunnel.
Examples
# Bind VPN instance "vpna" with SA.
<Eudemon> system-view [Eudemon] ike peer test [Eudemon-ike-peer-test] sa binding vpn-instance vpna zone trust
Format
sa duration seconds undo sa duration
Parameters
seconds: specifies the value of ISAKMP SA duration. It is an integer in a range of 60 to 604800 seconds. By default, the ISAKMP SA duration is 86400 seconds (a day). When the timer times out, the ISAKMP SA will update automatically.
Views
IKE proposal View
Default Level
2: Configuration level
3-310 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
If the IKE security proposal adopts only one SA, there is a risk of crack. Configuring the SA duration can improve security. Before the duration of an SA expires, a new SA will be negotiated to replace the old one. The system continues to use the old SA before it has negotiated a new one. It will use immediately the new one after it gets a new SA and removes the old one.
Examples
# Set the ISAKMP SA duration for IKE proposal 10 to 600 seconds.
<Eudemon> system-view [Eudemon] ike proposal 10 [Eudemon-ike-proposal-10] sa duration 600
Format
sa duration { traffic-based kilobytes | time-based seconds } undo sa duration { traffic-based | time-based }
Parameters
time-based seconds: specifies time-based SA duration in a range of 480 to 604800 seconds. By default, the value is 3600 seconds. traffic-based kilobytes: specifies traffic-based SA duration in a range of 8000 to 4194303 kilobytes. By default, the value is 1843200 kilobytes.
Views
IPSec policy view, or IPSec policy template view
Default Level
2: Configuration level
Usage Guidelines
When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured with its own duration, the system will use the global SA duration specified by this command to negotiate with the peer. If the IPSec policy is configured with its own duration, the system will use the
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-311
3 Security Defense
duration of the IPSec policy to negotiate with the peer. When IKE negotiates to set up an SA for IPSec, the smaller one of the duration set locally and that proposed by the remote is selected. There are two methods to measure the duration:
l l
Time-based duration is the period that starts from establishment of SA to expiration of SA. Traffic-based duration is the maximum of traffic volume that this SA is permitted to process. If the duration reaches the specified time or traffic volume, the SA will lose effect. Before expiration of SA, IKE will negotiate to establish a new SA for IPSec. Before the new SA is established, the old one will continue functioning. After the new SA is well prepared, it will be used immediately. The SA duration only functions for IKE-negotiated SA rather than the SA manually set up.
Examples
# Set the sa duration for the IPSec policy shenzhen 100 to 2 hours, that is, 7200 seconds.
<Eudemon> system-view [Eudemon] ipsec policy shenzhen 100 isakmp [Eudemon-ipsec-policy-isakmp-shenzhen-100] sa duration time-based 7200
# Set the sa duration for the IPSec policy shenzhen 100 to 20M bytes, that is, the SA is overtime when the traffic exceeds 20000 kilobytes.
<Eudemon> system-view [Eudemon] ipsec policy shenzhen 100 isakmp [Eudemon-ipsec-policy-isakmp-shenzhen-100] sa duration traffic-based 20000
3.23.54 sa encryption-hex
Function
Using the sa encryption-hex command, you can set the SA encryption key manually for the IPSec policy of manual mode. Using the undo sa encryption-hex command, you can delete the SA parameter already set.
Format
sa encryption-hex { inbound | outbound } esp hex-key undo sa encryption-hex { inbound | outbound } esp
Parameters
inbound: sets the inbound SA parameter. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: sets the outbound SA parameter. IPSec uses the outbound SA for processing the packet in the outbound direction (sent). esp: sets the parameter of the SA using ESP. If the IPSec proposal set used by the IPSec policy specified to adopt ESP, the esp key word is used to set the parameter of the SA.
3-312 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
hex-key: specifies key for the SA input in the hex format. When applied in ESP, if DES is used, then input an 8-byte key; if 3DES is used, then input a 24-byte key. If AES128 is used, a 16byte key is input. If AES192 is used, a 24-byte key is input. If AES256 is used, a 32-byte key is input. If SCB2 is used, a 16-byte key is input.
Views
IPSec policy view in manual mode
Default Level
2: Configuration level
Usage Guidelines
This command is only used for the IPSec policy in manual mode. It is used to set the SA parameter manually and establish an SA manually. For the IPSec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish an SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote.
Examples
# Set the SPI of the inbound SA to 1001, and the key to 0x1234567890abcdef; set the SPI of the outbound SA to 2001, and its key to 0xabcdefabcdef1234 in the IPSec policy using ESP and DES.
<Eudemon> system-view [Eudemon] ipsec proposal prop_esp [Eudemon-ipsec-proposal-prop_esp] transform esp [Eudemon-ipsec-proposal-prop_esp] esp encryption-algorithm des [Eudemon-ipsec-proposal-prop_esp] quit [Eudemon] ipsec policy tianjin 100 manual [Eudemon-ipsec-policy-manual-tianjin-100] proposal prop_esp [Eudemon-ipsec-policy-manual-tianjin-100] sa spi inbound esp 1001 [Eudemon-ipsec-policy-manual-tianjin-100] sa encryption-hex inbound esp 1234567890abcdef [Eudemon-ipsec-policy-manual-tianjin-100] sa spi outbound esp 2001 [Eudemon-ipsec-policy-manual-tianjin-100] sa encryption-hex outbound esp abcdefabcdef1234
3 Security Defense
Format
sa reauth duration seconds undo sa reauth duration
Parameters
seconds: specifies the ISAKMP SA re-authentication duration. It is an integer that ranges from 60 to 604800, in seconds.
Views
IKE proposal view
Default Level
2: Configuration level
Usage Guidelines
The configuration is valid to only the IKEv2 protocol. By default, the ISAKMP SA re-authentication duration is 86400 seconds (a day).
Examples
# Set the ISAKMP SA re-authentication duration of IKE proposal 10 to 43200 seconds.
<Eudemon> system-view [Eudemon] ike proposal 10 [Eudemon-ike-proposal-10] sa reauth duration 43200
3.23.56 sa spi
Function
Using the sa spi command, you can set the SA SPI manually for the IPSec policy of manual mode. Using the undo sa spi command, you can delete the SA SPI already set.
Format
sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp }
Parameters
inbound: sets the inbound SA parameter. IPSec uses the inbound SA for processing the received packet. outbound: sets the outbound SA parameter. IPSec uses the outbound SA for processing the output packet.
3-314 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
ah: sets the parameter of the SA using AH. If the IPSec proposal set used by the IPSec policy adopts AH, the ah key word is used to set the parameter of the SA. esp: sets the parameter of the SA using ESP. If the IPSec proposal set used by the IPSec policy adopts ESP, the esp key word is used to set the parameter of the SA. spi-number: security Parameter Index (SPI) in the triplet identification of the SA, in a range of 256 to 4294967295. The triplet identification of the SA, which appears as SPI, destination address, and protocol number, must be unique.
Views
IPSec policy view in manual mode
Default Level
2: Configuration level
Usage Guidelines
This command is only used for the IPSec policy in manual mode. It is used to set the SA parameter manually and establish a SA manually. For the IPSec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish an SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote.
Examples
# Set the SPI of the inbound SA to 10000, set the SPI of the outbound SA to 20000, in the IPSec policy using AH and MD5.
<Eudemon> system-view [Eudemon] ipsec proposal prop_ah [Eudemon-ipsec-proposal-prop_ah] transform ah [Eudemon-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [Eudemon-ipsec-proposal-prop_ah] quit [Eudemon] ipsec policy tianjin 100 manual [Eudemon-ipsec-policy-manual-tianjin-100] proposal prop_ah [Eudemon-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [Eudemon-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000
3.23.57 sa string-key
Function
Using the sa string-key command, you can set the SA parameter manually for the IPSec policy of manual mode. Using the undo sa string-key command, you can delete the SA parameter.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-315
3 Security Defense
Format
sa string-key { inbound | outbound } { ah | esp } string-key undo sa string-key { inbound | outbound } { ah | esp }
Parameters
inbound: sets the inbound SA parameter. IPSec uses the inbound SA for processing the packet in the inbound direction (received). outbound: sets the outbound SA parameter. IPSec uses the outbound SA for processing the packet in the outbound direction (sent). ah: sets the parameter of the SA using AH. If the IPSec proposal set used by the IPSec policy adopts AH, the ah key word is used to set the parameter of the SA. esp: sets the parameter of the SA using ESP. If the IPSec proposal set used by the IPSec policy adopts ESP, the esp key word is used to set the parameter of the SA. string-key: specifies the key for an SA input, a string in a range of 1 to 127 characters. For different algorithms, you can input character strings of any length in the specified range, and the system will generate keys meeting the algorithm requirements automatically according to the input character strings. As for ESP, the system will automatically generate the key for the authentication method and that for the encryption algorithm at the same time.
Views
IPSec policy view in manual mode
Default Level
2: Configuration level
Usage Guidelines
This command is only used for the IPSec policy in manual mode. It is used to set the SA parameter manually and establish a SA manually. For the IPSec policy in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and establish a SA. When configuring the SA of manual mode, the SA parameters of inbound and outbound directions must be set separately. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and key for the SA input at the local end must be the same as those output at the remote. The SA SPI and key output at the local end must be the same as those input at the remote. There are two methods for inputting the key: hex and character string. To input the key in hex form, the sa authentication-hex command should be used. If you input a key in two ways, the latest one will be adopted. At both ends of a security tunnel, the key should be input by the same method. If the key is input in character string form on one end, and in hex form on the other end, the security tunnel cannot be created correctly.
3-316 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Set the SPI of the inbound SA to 10000, and the key string to abcdef; set the SPI of the outbound SA to 20000, and its key string to efcdab in the IPSec policy using AH and MD5.
<Eudemon> system-view [Eudemon] ipsec proposal prop_ah [Eudemon-ipsec-proposal-prop_ah] transform ah [Eudemon-ipsec-proposal-prop_ah] ah authentication-algorithm md5 [Eudemon-ipsec-proposal-prop_ah] quit [Eudemon] ipsec policy tianjin 100 manual [Eudemon-ipsec-policy-manual-tianjin-100] proposal prop_ah [Eudemon-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000 [Eudemon-ipsec-policy-manual-tianjin-100] sa string-key inbound ah abcdef [Eudemon-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000 [Eudemon-ipsec-policy-manual-tianjin-100] sa string-key outbound ah efcdab
Format
security acl acl-number undo security acl
Parameters
acl-number: specifies the number of the ACL used by the ipsec policy, in a range of 3000 to 3999.
Views
IPSec policy view, IPSec policy template view
Default Level
2: Configuration level
Usage Guidelines
By default, no ACL is specified for the security policy. IPSec determines which packets need protection according to the defined ACL. When performing IPSec security policy, packets will be matched with the rules in ACL first. The packets matched the ACL and being permitted will get protection before be sent out, and the packets don't match the ACL or those being denied will be sent out directly without protection.
Examples
# Set the IPSec policy to use advanced ACL 3101.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-317
3 Security Defense
3.23.59 speed-limit
Function
Using the speed-limit command, you can set the speed limit for encrypted traffic in an IPSec tunnel. Using the undo speed-limit command, you can cancel the above configuration.
Format
speed-limit { inbound | outbound } speed-limit undo speed-limit
Parameters
inbound: Specifies the inbound direction of speed limit. outbound: Specifies the outbound direction of speed limit. speed-limit: Specifies the value of speed limit. It is an integer that ranges from 8 to 4194303, in kilobytes.
Views
IPSec policy view, IPSec policy template view
Default Level
2: Configuration level
Usage Guidelines
After an IPSec policy is applied to an interface, you cannot run the speed-limit command to modify the speed limit of the IPSec policy. After an IPSec policy template is quoted by an IPSec policy, you cannot run the speed-limit to modify the speed limit of the IPSec policy template.
Examples
# Set the speed limit for encrypted traffic of the IPSec policy policy1 to 500 Kbyte/s.
<Eudemon> system-view [Eudemon] ipsec policy policy1 1 manual [Eudemon-ipsec-policy-manual-policy1-1] speed-limit inbound 500
3.23.60 transform
3-318 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Function
Using the transform command, you can set a security protocol used by a proposal. Using the undo transform command, you can restore the default security protocol.
Format
transform { ah | ah-esp | esp } undo transform
Parameters
ah: uses AH protocol specified in RFC2402. ah-esp: uses ESP specified in RFC2406 to protect the packets and then use AH protocol specified in RFC2402 to authenticate packets. esp: uses ESP specified in RFC2406.
Views
IPSec proposal view
Default Level
2: Configuration level
Usage Guidelines
By default, esp, that is, the ESP specified in RFC2406 is used. If ESP is adopted, the default encryption algorithm is DES and the default authentication algorithm is MD5. If AH is adopted, the default authentication algorithm is MD5. If the parameter ah-esp is specified, the default authentication algorithm for AH is MD5 and the default encryption algorithm for ESP is DES without authentication. AH protocol provides:
l l l
Data source authentication Data integrity check Packet anti-replay Data source authentication Data integrity check Packet anti-replay Data encryption
At both ends of the security tunnel, the IPSec protocols for the IPSec proposal must be consistent. If you have a high requirement on network security, use the esp or ah-esp protocol.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-319
3 Security Defense
Examples
At both ends of the security tunnel, the IPSec protocols for the IPSec proposal must be consistent.
<Eudemon> system-view [Eudemon] ipsec proposal prop1 [Eudemon-ipsec-proposal-prop1] transform ah
Format
tunnel local ip-address undo tunnel local
Parameters
None
Views
IPSec policy view in manual mode
Default Level
2: Configuration level
Usage Guidelines
By default, the local address of an IPSec policy is not set. As for the IPSec policy in manual mode, it is necessary to set the local address before the SA can be established. A security tunnel is set up between the local and remote end, so the local address and remote address must be correctly set before a security tunnel can be set up.
Examples
# Set the local address for the IPSec policy, which is applied to GigabitEthernet 0/0/2 with the IP address 10.0.0.1.
<Eudemon> system-view [Eudemon] ipsec policy guangzhou 100 manual [Eudemon-ipsec-policy-manual-guangzhou-100] tunnel local 10.0.0.1 [Eudemon-ipsec-policy-manual-guangzhou-100] quit [Eudemon] interface GigabitEthernet 0/0/2 [Eudemon-GigabitEthernet0/0/2] ipsec policy guangzhou
3-320
Issue 03 (2009-06-18)
3 Security Defense
Format
tunnel remote ip-address undo tunnel remote [ ip-address ]
Parameters
ip-address: refers to remote address in dotted decimal format.
Views
IPSec policy view in manual mode
Default Level
2: Configuration level
Usage Guidelines
By default, the remote address of an IPSec policy is not set. As for the IPSec policy in manual mode, the original address must be deleted before a new remote address is set if the remote address has been set. The tunnel remote command can be only applied to the IPSec policy in manual mode. A security tunnel is set up between the local and remote end, so the local address and remote address must be correctly set before a security tunnel can be set up.
Examples
# Set the remote address of the IPSec policy to 10.1.1.2.
<Eudemon> system-view [Eudemon] ipsec policy shanghai 10 manual [Eudemon-ipsec-policy-manual-shanghai-10] tunnel remote 10.1.1.2
3.23.63 version
Function
Using the version command, you can set the IKE version number of an IKE peer. Using the undo version command, you can disable the IKE of a specified version.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-321
3 Security Defense
Format
version { 1 | 2 } undo version { 1 | 2 }
Parameters
1: used for IKE v1 negotiation. 2: used for IKE v2 negotiation.
Views
IKE peer view
Default Level
2: Configuration level
Usage Guidelines
If the IKE protocol and IKEv2 protocol are enabled, IKEv2 is used in the negotiation initiation, and IKE and IKEv2 are used in negotiation response. By default, the IKE protocol and IKEv2 protocol are enabled.
Examples
# Set the protocol that is used by IKE peer peer1 in negotiation initiation to IKEv1.
<Eudemon> system-view [Eudemon] ike peer peer1 [Eudemon-ike-peer-peer1] undo version 2
3 Security Defense
3.24.11 firewall dpi pattern-file active 3.24.12 firewall p2p-car relation-table aging-time 3.24.13 firewall p2p-detect behavior enable 3.24.14 firewall p2p-detect default-permit 3.24.15 firewall dpi packet-number 3.24.16 p2p-car 3.24.17 p2p-class 3.24.18 p2p-detect enable 3.24.19 p2p-detect mode 3.24.20 reset p2p-car statistic 3.24.21 undo cir index
3.24.1 cir
Function
Using the cir command, you can set a committed traffic rate for a specific time range of a certain P2P class.
Format
cir cir-rate index index time-range time-range-name
Parameters
cir-rate: specifies the committed traffic rate in a specified time range.It ranges from 0 kbit/s to 3145728 kbit/s. index : specifies the index number for a specified P2P-class time range. It ranges from 1 to 9. time-range-name: specifies the name for the time range. The name can be a string of a maximum of 32 characters, starting with a letter (a through z or A through Z). To avoid ambiguity, never set the name as "all".
Views
P2P-class view
Default Level
2: Configuration level
Usage Guidelines
Each index can be used only once.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-323
3 Security Defense
Each P2P class can be configured up to nine time ranges. If the same time range is configured with multiple committed traffic rates, the option with the smallest index value takes effect.
Examples
# Set a time range named night and set the committed rate of P2P traffic during time range night to 5000 kbit/s.
<Eudemon> system-view [Eudemon] time-range night 18:00 to 23:59 daily [Eudemon] p2p-class 1 [Eudemon-p2p-class-1]cir 5000 index 1 time-range night
Format
cir default cir-rate
Parameters
cir-rate: specifies the default committed traffic rate. It ranges from 0 kbit/s to 3145728 kbit/s. The default value is 100kbit/s.
Views
P2P class view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the default CIR of P2P class 1 to 5000 kbit/s.
<Eudemon> system-view [Eudemon] p2p-class 1 [Eudemon-p2p-class-1] cir default 5000
3 Security Defense
Function
Using the debugging firewall p2p-car command, you can enable the P2P module debugging. Using the undo debugging firewall p2p-car command, you can disable the P2P module debugging.
Format
debugging firewall p2p-car { packet | error | event | all | update-event} ubdo debugging firewall p2p-car { packet | error | event | all | update-event}
Parameters
packet: indicates the P2P module packet debugging. event: indicates the P2P module event debugging. error: indicates the P2P module error debugging. all: indicates all P2P module debugging. update-event: indicates the P2P module update debugging.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Enable the P2P event debugging.
<Eudemon> debugging firewall p2p-car event
Format
. display p2p-car class [ class-number ]
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-325
3 Security Defense
Parameters
class-number: specifies the number of the P2P class whose configuration is to be displayed. The value ranges from 0 to 99.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
If class-number is not specified, the configuration of all P2P classes is displayed.
Examples
# View the configuration of all P2P classes.
<Eudemon> display p2p-car class Class Index Bandth(kbps) 0 0 100 1 0 30000 2 0 100 2 20000 3 0 100 4 0 100 5 0 100 6 0 100 State Active Active Active Active Active Active Active time-range
day
Table 3-22 shows the description of the display p2p-car class command output. Table 3-22 Description of the display p2p-car class command output Item Class Index Description It indicates the number of the P2P class. It indicates the index of the bandwidth and time-range option. One P2P classs can be configured with a maximum of 9 time range and bandwidth options. Index 0 indicates the default setting. It indicates the value of the bandwidth, that is, the committed P2P traffic rate. The unit is kbit/s. It indicates the current state. "Null" indicates that it does not take effect, while "Active" means that it takes effect. If the system time matches a certain time range, the committed traffic rate with the smallest index value takes effect, instead of the other committed traffic rate options of the time range.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
Bandth State
3-326
3 Security Defense
Item time-range
Format
display dpi pattern-file { active | on-flash }
Parameters
active: indicates the activated pattern file. on-flash: indicates the pattern file on the FLASH.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
The display delivers the following information:
l l l l l
Version number Upload time to FLASH Activated time (available for activated pattern file only) Included protocols File size
Examples
# Display information about the activated pattern file.
<Eudemon> display dpi pattern-file active Version:1.2.2.35 File active time:10:56:57 2008/03/14 File upload time:20:38:18 2008/03/13 File size:115328 bytes P2P protocol name:BT. PPLIVE. Thunder. eDeM. FEIDIAN. QQlive. CCIPTV. GNUTELLA. Kazaa. PPSTREAM. COOLSTREAMING. DC. KUGOO. PPGou. POCO. BaiBao. Maze. TVAnts. UU See. Vagaa. BBSEE. MYSEE. Filetopia. Soulseek.
Issue 03 (2009-06-18)
3-327
3 Security Defense
Format
display p2p-car statistic class
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display the P2P class-based statistics.
<Eudemon> display p2p-car statistic class class receive(Pkt/Oct) discard(Pkt/Oct) permit(Pkt/Oct) class0 147268836 147079762 189074 20028561696 20002847632 25714064 class1 0 0 0 0 0 0 class2 0 0 0 0 0 0 class3 115030907 111041407 3989500 15644203352 15101631352 542572000 class4 0 0 0 0 0 0 class5 129113696 62651436 66462260 17559462656 8520595296 9038867360 class6 0 0 0 0 0 0 __________________________________________________________________________ total 391413439 320772605 70640834
3-328
Issue 03 (2009-06-18)
3 Security Defense
9607153424
The statistics on P2P-Class are collected, and class0 to class99 are printed. The above shows class0 to class6.
Table 3-23 shows the description of the display p2p-car statistic class command output. Table 3-23 Description of the display p2p-car statistic classcommand output Item class receive discard permit Description It indicates the number of the P2P class. It indicates the traffic received by the P2P class. The first line presents the number of packets. The second line presents the number of bytes. It indicates the traffic dropped by the P2P class. The first line presents the number of packets. The second line presents the number of bytes. It indicates the traffic permitted by the P2P class. The first line presents the number of packets. The second line presents the number of bytes.
Format
display p2p-car statistic protocol
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-329
3 Security Defense
Examples
# Display the protocol-based statistics of the committed P2P traffic rates.
<Eudemon> display p2p-car statistic protocol protocol receive(Pkt/Oct) discard(Pkt/Oct) permit(Pkt/Oct) BT 0 0 0 0 0 0 PPLIVE 0 0 0 0 0 0 Thunder 0 0 0 0 0 0 eDeM 0 0 0 0 0 0 FEIDIAN 123798973 0 123798973 16836660328 0 16836660328 QQlive 379735383 135200548 244534835 51644012088 18387274528 33256737560 CCIPTV 0 0 0 0 0 0 GNUTELLA 0 0 0 0 0 0 Kazaa 0 0 0 0 0 0 PPSTREAM 0 0 0 0 0 0 COOLSTREAMING 0 0 0 0 0 0 DC 0 0 0 0 0 0 KUGOO 234696645 166972359 67724286 31918743720 22708240824 9210502896 PPGou 0 0 0 0 0 0 POCO 0 0 0 0 0 0 BaiBao 0 0 0 0 0 0 Maze 0 0 0 0 0 0 TVAnts 123798973 0 123798973 16836660328 0 16836660328 UUSee 0 0 0 0 0 0 Vagaa 0 0 0 0 0 0 BBSEE 0 0 0 0 0 0 MYSEE 0 0 0 0 0 0 Filetopia 0 0 0 0 0 0 Soulseek 0 0 0 0 0 0 ____________________________________________________________________ total 862029974 302172907 559857067 117236076464 41095515352 76140561112 statistic from 14:24:35 2008/03/14 to 17:54:24 2008/03/14
Table 3-24 shows the description of the display p2p-car statistic protocol command output. Table 3-24 Description of the display p2p-car statistic protocol command output Item protocol
3-330
3 Security Defense
Description It indicates the received traffic of a certain protocol. The first line presents the number of packets. The second line presents the number of bytes. It indicates the dropped traffic of a certain protocol. The first line presents the number of packets. The second line presents the number of bytes. It indicates the permitted traffic of a certain protocol. The first line presents the number of packets. The second line presents the number of bytes.
Format
display p2p-car statistic relation-table
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the statistics of the P2P relation table.
<Eudemon> display p2p-car statistic relation-table Current relation table number:4
3 Security Defense
Function
Using the firewall p2p-car default-permit command, you can enable the global P2P traffic limiting function. Using the undo firewall p2p-car default-permit command, you can disable the global P2P traffic limiting function.
Format
firewall p2p-car default-permit undo firewall p2p-car default-permit
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After you run the firewall p2p-car default-permit command, the firewall employs the setting of class 0 by default to limit P2P traffic. By default, the global P2P traffic limiting function is disabled.
Examples
# Enable the global P2P traffic limiting function.
<Eudemon> system-view [Eudemon] firewall p2p-car default-permit
Format
firewall p2p-car include protocol undo firewall p2p-car include protocol
3-332 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
protocol: specifies the types of protocols covered by the P2P traffic limiting function. You can select any type of protocols supported by the current system.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
NOTE
You must load the P2P pattern file to the FLASH and activate the file before running the command.
Examples
# Restrict the PPLive traffic.
<Eudemon> system-view [Eudemon] firewall p2p-car include pplive
Format
firewall dpi pattern-file active undo firewall dpi pattern-file active
Parameters
None
Views
System view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-333
3 Security Defense
Usage Guidelines
When an unidentifiable protocol appears on the network and a certain existing pattern file can help identify the protocol, you can upgrade the Eudemon by activating the eligible pattern file. The newly activated pattern file can overwrite the old pattern file. The name of the pattern file is protocol.rul. Before activating a pattern file, you need to obtain and download the pattern file to the FLASH of the Eudemon through FTP. Because activating a pattern file deletes all existing statistics, it is recommended that you activate the pattern file when the volume of P2P traffic is low.
Examples
# Activate the pattern file (No activated pattern file exists yet).
<Eudemon> system-view [Eudemon] firewall dpi pattern-file active Active pattern file successfully !
# Activate the pattern file (An activated pattern file exists already).
<Eudemon> system-view [Eudemon] firewall dpi pattern-file active The using version is 1.2.2.3E,new version is 1.2.2.3E,Overwrite it?[Y/N]:y Active pattern file successfully !
Format
firewall p2p-car relation-table aging-time aging-time
Parameters
aging-time: specifies the aging time of the relation table. It ranges from 1 second to 120 seconds. The default value is 20 seconds.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The relation table records IP addresses and port numbers using the P2P protocols. If the newly created session matches an IP address and port number listed in the relation table, the session is directly considered as a P2P session.
3-334 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Examples
# Set the aging time of the relation table to 40 seconds.
<Eudemon> system-view [Eudemon] firewall p2p-car relation-table aging-time 40
Format
firewall p2p-detect behavior enable undo firewall p2p-detect behavior enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After you run the command, Eudemon can identify P2P sessions and offer statistics of multiple types of packets according to the packet patterns, but is not related to traffic limiting. You can run the firewall p2p-detect default-permit command to enable in-depth detection first. If in-depth detection is not adequate, you can configure behavior detection which specifically detects the encrypted data flows.
Examples
# Enable global P2P behavior detection.
<Eudemon> system-view [Eudemon] firewall p2p-detect behavior enable
3 Security Defense
Function
Using the firewall p2p-detect default-permit command, you can enable the global P2P traffic in-depth detection function. Using the undo firewall p2p-detect default-permit command, you can disable the global P2P traffic in-depth detection function.
Format
firewall p2p-detect default-permit undo firewall p2p-detect default-permit
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After you run the firewall p2p-detect default-permit command, the Eudemon can identify the P2P protocols supported by the current system and take the statistics of traffic of each protocol. However, the Eudemon does not restrict P2P traffic. If traffic limiting have been configured, you do not have to configure detection policies and the system implements in-depth detection by default.
Examples
# Enable the global P2P traffic in-depth detection function.
<Eudemon> system-view [Eudemon] firewall p2p-detect default-permit
Format
firewall dpi packet-number number
3-336 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Parameters
number: indicates the maximum number of P2P packets detected. The value is an integer in a range of 1 to 48. The default value is 16.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
For an unknown P2P session, Eudemon detects the session according to the maximum number of the P2P packets configured. If system cannot identify the session when the maximum number of packets detected has been reached, the system will not process the session as a P2P session. When P2P behavior detection is configured, you are recommended to configure the number of packets detected as more than 5.
Examples
# Configure the maximum number of the P2P packets detected as 5.
<Eudemon> system-view [Eudemon] firewall dpi packet-number 5
3.24.16 p2p-car
Function
Using the p2p-car command, you can apply the P2P traffic limiting policy to the specified interzone.
Format
p2p-car acl-number class class-number { inbound | outbound } undo p2p-car acl-number class class-number { inbound | outbound }
Parameters
acl-number: specifies the ACL number. It ranges from 2000 to 3999. ACL 2000 through 2999 are basic ACL rules, and ACL 3000 through 3999 are advanced ACL rules. The permit statement of an ACL rule specifies users who need to be limited in traffic while the deny statement specifies users who need not be restricted. class-number: specifies the number of the P2P class. It ranges from 0 to 99. inbound: indicates that the P2P traffic restricting policy is applied to the inbound packets.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-337
3 Security Defense
outbound: indicates that the P2P traffic limiting policy is applied to the outbound packets.
Views
Interzone view
Default Level
2: Configuration level
Usage Guidelines
A class can be referenced by only one ACL. Interzone traffic limit policy has a higher priority than the global default traffic limit policy.
Examples
# Apply P2P class 1 to the inbound direction between the Trust and Untrust zones.
<Eudemon> system-view [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] p2p-car 2000 class 1 inbound
3.24.17 p2p-class
Function
Using the p2p-class command, you can enter a specific P2P class view. Using the undo p2p-class command, you can remove the current configuration of a P2P class and initialize its settings. Once the command is run, all time range and bandwidth options configured for this P2P class become invalid and the default committed traffic rate is restored to 100 kbit/s.
Format
p2p-class class-number undo p2p-class class-number
Parameters
class-number: specifies the number of the P2P class. It ranges from 0 to 99.
Views
System view
Default Level
2: Configuration level
3-338 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Usage Guidelines
None
Examples
# Enter the P2P class 1 view.
<Eudemon> system-view [Eudemon] p2p-class 1 [Eudemon-p2p-class-1]
Format
p2p-detect enable undo p2p-detect enable
Parameters
None
Views
Interzone view
Default Level
2: Configuration level
Usage Guidelines
After inter-zone P2P detection is enabled, inter-zone P2P sessions are detected using depth detection. Configure this detection only for specific zones that require P2P detection between them to narrow down the detection range and improve performance. If traffic limit policy is configured, no detection policy needs to be configured and the default depth detection mode can be used. If P2P detection needs to be used independently without limiting traffic, or if detection is performed to improve P2P identification ratio, you can configure the P2P detection policy.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-339
3 Security Defense
Examples
# Enable inter-zone P2P detection.
<Eudemon> system-view [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] p2p-detect enable
Format
p2p-detect mode { default | behavior } undo p2p-detect mode { default | behavior }
Parameters
default: uses depth detection as the P2P detection mode. behavior: uses behavior detection as the P2P detection mode.
Views
Interzone view
Default Level
2: Configuration level
Usage Guidelines
After this command is executed, Eudemon identifies P2P sessions by using the configured detection mode, independent of traffic limiting. Inter-zone detecion policy has a higher priority than that of the global detection policy. If no global or inter-zone traffic limit policy is configured, the configured detection mode takes effect only after the p2p-detect enable command is executed. Otherwise, no P2P detection will be performed.
Examples
# Configure the inter-zone P2P detection mode as behavior detection.
<Eudemon> system-view [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] p2p-detect mode behavior
3-340
Issue 03 (2009-06-18)
3 Security Defense
Format
reset p2p-car statistic
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Clear P2P statistics.
<Eudemon> reset p2p-car statistic
Format
undo cir index index
Parameters
index: specifies the index number of the time range of the P2P class. It ranges from 1 to 9.
Views
P2P class view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-341
3 Security Defense
Default Level
3: Management level
Usage Guidelines
None
Examples
# Remove the setting of the committed P2P traffic rate indexed 1 for P2P class 1.
<Eudemon> system-view [Eudemon] p2p-class 1 [Eudemon-p2p-class-1] undo cir index 1
3 Security Defense
Format
cut access-user { all | ip ip-address | user-name user-name }
Parameters
all: specifies all online users. ip-address: specifies the IP address of the online user in the form of dotted decimal notation. user-name: specifies the user name of the online user with a string, in the range of 1 character to 32 characters.
Views
Secospace cooperation configuration view
Default Level
2: Configuration level
Usage Guidelines
Users may be forced to log out when specific abnormalities occur. In such cases, run the cut access-user command.
Examples
# Force the user whose IP address is 2.2.2.2 to logout.
<Eudemon> system-view [Eudemon] right-manager server-group [Eudemon-rightm] cut access-user ip 2.2.2.2
Format
debugging right-manager { all | event | message | packet | user [ ip ip-address | user-name user-name ] }
Parameters
all: displays all debugging information. event: displays the event debugging information.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-343
3 Security Defense
message: displays the message debugging information. packet: displays the packet debugging information. user: displays the login and logout debugging information of all users. ip-address: displays the login and logout debugging information of users of the specified IP address. user-name: displays the login and logout debugging information of the user (s) of the specified user name.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, debugging is disabled.
Examples
# Enable all debugging information.
<Eudemon> debugging right-manager all *0.169652666 Eudemon RIGHTM/8/debug:EVENT from MAIN Module Receive a refresh msg from nps. *0.170129066 Eudemon RIGHTM/8/debug:EVENT from COPS Module connect to 10.1.2.2. *0.170262433 Eudemon RIGHTM/8/debug:USER name_Tom(1.6.165.5) from CONFIG Module logout *0.170376183 Eudemon RIGHTM/8/debug:USER (1.6.165.5) from CONFIG Module login Online users reaches max number ! delete user fail !
Table 3-25 shows the description of the debugging right-manager command output. Table 3-25 Description of the debugging right-manager command output Item EVENT from MAIN Module Receive a refresh msg from nps EVENT from COPS Module connect to 10.1.2.2 logout login Online users reaches max number Description The MAIN module receives a refresh message from the NPS. The COPS connection is set up successfully. The user logs out successfully. The user logs in successfully. The number of online users reaches the upper limit and other users cannot log on.
Issue 03 (2009-06-18)
3-344
3 Security Defense
Description Forcing a user to log out fails because the user does not exist.
Format
default acl 3099 undo default acl 3099
Parameters
None
Views
Secospace cooperation configuration view, System view
Default Level
2: Configuration level
Usage Guidelines
Run the default acl 3099 command in the secospace association configuration view. Run the undo default acl 3099 command in the system view. If the ACL with the group number 3099 is configured, after you run the default acl 3099 command, the system automatically deletes all the rules in ACL 3099.
CAUTION
By default, the ACL rule group number is 3099 only. If the ACL rule group number is configured as other values, the Eudemon does not support the ACL group. The default ACL rules (excluding rule 0 through 999) are generated by the Eudemon according to the policy delivered by the Secospace server. You can customize rule 0 through 999 to meet the requirements of special applications. If you enable state detection with the 3.25.13 right-manager status-detect enable command, the interzones indicate the interzone between the security zone where the user resides and the
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-345
3 Security Defense
security zone where the Secospace server resides, and the interzone between the security zone where the user resides and the security zone where the controlled resource service resides. If you did not enable state detection, the interzone indicates the interzone between the security zone where the user resides and the security zone where the Secospace server resides.
Examples
# Configure the default ACL rule group number.
<Eudemon> system-view [Eudemon] right-manager server-group [Eudemon-rightm] default acl 3099 Please be careful that all rules of the ACL have been deleted!
Format
display right-manager online-users [ ip ip-address | role-name role-name | user-name username ]
Parameters
ip-address: specifies the IP address of the online user in the form of dotted decimal notation. role-name: specifies the role name of the online user. It is a string of 1 to 32 characters long. user-name: specifies the user name of the online user. It is a string of 1 to 32 characters long.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
A role can be used for many users and a user can use multiple roles. You can specify at most 16 roles for a user.
Examples
# View the online users.
<Eudemon> display right-manager online-users ------------------------------------------------------------------------Username : name_Tom
3-346
Issue 03 (2009-06-18)
3 Security Defense
Ip : 1.1.5.165 LoginTime : 15:57:56 2007-12-14 Rolename : kk1 RoleId : 1 ------------------------------------------------------------------------Username : name_John Ip : 2.1.5.166 LoginTime : 15:57:56 2007-12-15 Rolename : kk1 RoleId : 1
Table 3-26 shows the description of the display right-manager online-users command output. Table 3-26 Description of the display right-manager online-users command output Item Username Ip LoginTime Rolename RoleId Description User name of the online user. IP address of the online user. Login time of the online user. Role of the online user with a string; able to display up to 16 role names. Role of the online user with a string; able to display up to 16 role names.
Issue 03 (2009-06-18)
3-347
3 Security Defense
Function
Using the display right-manager role-id rule command, you can view the rules that are associated with the specified roles.
Format
display right-manager role-id role-id rule
Parameters
role-id: specifies the role ID. It is an integer, in the range of 0 to 900.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the rules of the specified role.
<Eudemon> display right-manager role-id 8 rule This role has no rule! <Eudemon> display right-manager role-id 1 rule Advanced ACL 3100, 2 rules Acl's step is 1 rule 2 deny ip destination 100.100.100.0 0.0.0.255 rule 6 permit ip
Format
display right-manager role-info
Parameters
None
3-348 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the role information about the user.
<Eudemon> display right-manager role-info All Role count:10 Role ID ACL3xxx Rolename -------------------------------------------------------------------Role 0 3099 default Role 1 3100 BaseResGroup Role 2 3101 kk2 Role 3 3102 kk3 Role 4 3103 kk4 -------------------------------------------------------------------Role 5 3104 kk5 Role 6 3105 kk6 Role 7 3106 kk7 Role 8 3107 kk8 Role 9 3108 kk9 -------------------------------------------------------------------
Table 3-27 shows the description of the display right-manager role-info command output. Table 3-27 Description of the display right-manager role-info command output Item RoleID ACL3xxx Rolename Description Indicates the role ID. The role ID ranges from 0 to 900. The value 0 represents the default rule. Indicates the advanced ACL group number of the role. Indicates the role name.
NOTE
3 Security Defense
Format
display right-manager server-group
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the information about the current server group configured on the Eudemon.
<Eudemon> display right-manager server-group Server-state : Enable Server-number: 5 Server-ip-address port state 192.168.10.10 3288 active 10.0.0.1 3288 inactive 10.0.0.2 3288 inactive 10.0.0.3 3288 inactive 10.0.0.4 3288 inactive
master Y N N N N
Table 3-28 shows the description of the display right-manager server-group command output. Table 3-28 Description of the display right-manager server-group command output Item Server-state Description Indicates whether the server group is enabled:
l l
Enable indicates that the server group is effective. Disable indicates that the server group is ineffective.
Indicates the number of servers in a server group. There are five servers in the group here. Indicates the server IP address. Indicates the port for communications with servers. Indicates the connection state of the server:
l l
active indicate that the connection is normal. inactive indicates that the connection is abnormal.
Issue 03 (2009-06-18)
3-350
3 Security Defense
Item master
NOTE
Multiple Secospace servers can be deployed. One of the Secospace servers is the master, and the others are slaves. The Eudemon connects with the master. Upon disconnection with the master, the Eudemon attempts to connect with the slaves.
Format
display right-manager statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# View the statistics of right management.
<Eudemon> display right-manager statistics Online user number : 23 In all login times : 24 In all logout times : 1 Received COPS packets number : 28 Send COPS packets number : 28 COPS packets error number : 0 Protocol process error number : 0
Table 3-29 shows the description of the display right-manager statistics command output.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-351
3 Security Defense
Table 3-29 Description of the display right-manager statistics command output Item Online user number In all login times In all logout times Received COPS packets number Sent COPS packets number COPS packets error number Protocol process error number Description Number of online users Number of login attempts Number of logout attempts Number of COPS packets that are received Number of COPS packets that are sent Number of COPS packet errors Number of protocol process errors
Format
right-manager authentication url web-url undo right-manager authentication url web-url
Parameters
url web-url: specifies web authentication url. It is a string of 1 to 256 characters long.
Views
Secospace cooperation configuration view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Set the web authentication of the Eudemon cooperating with the Secospace.
<Eudemon> system-view
3-352
Issue 03 (2009-06-18)
3 Security Defense
Format
right-manager server-group active-minimum active-minimum undo right-manager server-group active-minimum
Parameters
active-minimum: the lower threshold of the Secospace server connecting to the Eudemon. The value ranges from 1 to 8, and the default value is 1.
Views
Secospace cooperation configuration view
Default Level
2: Configuration level
Usage Guidelines
When the function of checking the connection status of the Secospace server is enabled, if the number of Secospace servers connecting to the Eudemon is less than active-minimum, the Eudemon opens the escaping way. If the number of Secospace servers connecting to the Eudemon is greater than or equal to active-minimum, the Eudemon closes the escaping way. By default, the lower threshold of the Secospace server connecting to the Eudemon is 1.
Examples
# Set the number of active servers of the Eudemon to 3.
<Eudemon> system-view [Eudemon] right-manager server-group [Eudemon-rightm] right-manager server-group active-minimum 3
3 Security Defense
Function
Using the right-manager server-group command, you can enter the Secospace cooperation configuration view. You can perform Secospace cooperation and related configuration after the command is executed.
Format
right-manager server-group
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enter the Secospace cooperation configuration view.
<Eudemon> system-view [Eudemon] right-manager server-group [Eudemon-rightm]
Format
right-manager server-group enable undo right-manager server-group enable
Parameters
None
3-354 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Views
Secospace cooperation configuration view
Default Level
2: Configuration level
Usage Guidelines
Before enabling the Secospace server group function, you need to configure the default ACL rule. When the server group is enabled, the Eudemon immediately attempts to connect to the servers in the group. After the connection is established successfully, Eudemon can receive the roles and role rules delivered by the Secospace server. By default, the Secospace server group function is disabled.
Examples
# Enable the Secospace server group.
<Eudemon> system-view [Eudemon] right-manager server-group [Eudemon-rightm] right-manager server-group enable
Format
right-manager status-detect enable undo right-manager status-detect enable
Parameters
None
Views
Secospace cooperation configuration view
Default Level
2: Configuration level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-355
3 Security Defense
Usage Guidelines
Before enabling the function of checking the connection status between the Secospace server and the Eudemon, you need to configure the default ACL rule. In the following cases, the Eudemon allows all users to obtain network resources:
l
If only one server is added, when the link between the server and Eudemon goes down, all the rights will be granted to the user. When the fault recovers, the original right control restores. If multiple servers are added, when the links between all the servers and the Eudemon fails, users are assigned with all rights. If one server is recovered, the original control function is recovered.
Examples
# Enable the status-detect function.
<Eudemon> system-view [Eudemon] right-manager server-group [Eudemon-rightm] right-manager status-detect enable
Format
right-manager user user-name user-name ip ip-address roles { role-id role-id | role-name role-name } undo right-manager user user-name ip ip-address
Parameters
user-name: specifies the name for the privileged user. It is a string of 1 to 32 characters long. ip-address: specifies the IP address of the privileged user in dotted decimal notation. role-id: specifies the role ID of the privileged user. It is an integer in the range from 1 to 900. role-name: specifies the role name of the privileged user. It is a string with 1 or up to 32 characters long.
Views
Secospace cooperation configuration view
3-356 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Default Level
2: Configuration level
Usage Guidelines
Before running the right-manager user user-name ip roles command, you need to configure the default ACL rule. After this command is configured, you can add a privileged user (the user name does not exist yet) or modify the role of a user (the user name already exists). Once the special access permission is withdrawn, the user need to pass through the authentication for obtaining the desired access permission. The mappings between IP address, role, and user are:
l l l l l
One role name maps one role ID One role can map multiple users One user can have multiple roles. You can specify at most 16 roles for a user One IP address maps one user IP addresses are not directly related to roles
Examples
# Add a new online user lisa with the IP address of 10.0.0.1 and role ID of 5.
<Eudemon> system-view [Eudemon] right-manager server-group [Eudemon-rightm] right-manager user user-name lisa ip 10.0.0.1 roles role-id 5
3.25.15 server ip
Function
Using the server ip command, you can add Secospace servers. Using the undo server ip command, you can delete Secospace servers.
Format
server ip ip-address [ port port-number ] [ shared-key key ] undo server ip ip-address port port-number
Parameters
ip-address: specifies the IP address of the Secospace server in the form of dotted decimal notation. port-number: specifies the number of the port between the Eudemon and the Secospace server with an integer, in the range of 1025 to 65535. By default, this value is 3288. key: specifies the pre-shared key for the Eudemon and the Secospace server with a string, in the range of 1 to 128. By default, the key is secospace.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-357
3 Security Defense
Views
Secospace cooperation configuration view
Default Level
2: Configuration level
Usage Guidelines
Only after the 3.25.3 default acl 3099 command is executed can the Secospace server be added successfully. When the Secospace servers are added and the server group is enabled through the command 3.25.12 right-manager server-group enable, the Eudemon immediately attempts to connect with the Secospace servers.
Examples
# Add the Secospace server with the IP address 12.33.44.55 and the pre-shared key Quidway.
<Eudemon> system-view [Eudemon] right-manager server-group [Eudemon-rightm] server ip 12.33.44.55 shared-key Quidway
Format
sync role-info [ role-id role-id | role-name role-name ]
Parameters
role-id: specifies the role ID with an integer, in the range of 0 to 900. role-name: specifies the role name with a string, in the range of 1 character to 32 characters long.
Views
Secospace cooperation configuration view
Default Level
2: Configuration level
Usage Guidelines
Secospace periodically notifies the Eudemon of roles and role rules. It also supports manually synchronizing roles and role rules from Secospace server by executing this command.
3-358 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
3 Security Defense
Use this command for manual synchronization only when automatic synchronization of roles and role rules cannot be completed normally because the Eudemon has a fault or link state is poor
Examples
# Synchronize the role with the ID 3.
<Eudemon> system-view [Eudemon] right-manager server-group [Eudemon-rightm] sync role-info role-id 3
Issue 03 (2009-06-18)
3-359
4 Reliability
4
About This Chapter
4.1 VRRP Backup Group Configuration Commands 4.2 HRP Configuration Commands
Reliability
Issue 03 (2009-06-18)
4-1
4 Reliability
Format
debugging vrrp { packet | state | timer } [ vrid virtual-router-id ] undo debugging vrrp { packet | state | timer }
Parameters
packet: enables the packet debugging of a VRRP backup group. state: enables the state debugging of a VRRP backup group. timer: enables the timer debugging of a VRRP backup group.
4-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
4 Reliability
vrid virtual-router-id: specifies the ID of a VRRP backup group.. The value is an integer in a range of 1 to 255.
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the debugging of a VRRP backup group is disabled.
Examples
# Enable the state debugging of a VRRP backup group.
<Eudemon> debugging vrrp state
Format
debugging vrrp-group { all | packet | state | timer } undo debugging vrrp-group { all | packet | state | timer }
Parameters
all: enables all debugging of the VRRP management group. packet: enables packet debugging of the VRRP management group. state: enables state debugging of the VRRP management group. timer: enables timer debugging of the VRRP management group.
Views
User view
Default Level
1: Monitoring level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-3
4 Reliability
Usage Guidelines
By default, the debugging of VRRP management group is disabled.
Examples
# Enable state debugging of the VRRP management group.
<Eudemon> debugging vrrp-group state
Format
display ip-link [ number ]
Parameters
number: specifies the ID of the IP-Link. It is an integer in a range of 1 to 32.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
When no ID is specified, the configuration and status information about all IP-Links are displayed.
Examples
# Query all IP-Links.
<Eudemon> display ip-link
4 Reliability
Format
display link-group link-group-id
Parameters
link-group-id: specifies the ID of a Link-group. The value ranges from 1to 64.
Views
All views
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Display the interface status of all members within the specified Link-group.
<Eudemon> display link-group 1
Format
display vrrp [ interface interface-type interface-number [ virtual-router-id ] ]
Parameters
interface interface-type interface-number: specifies the type and number of an interface. The type of the interface can only be Ethernet. virtual-router-id: specifies the ID of a VRRP backup group. The value is an integer in a range of 1 to 255.
Views
All views
Default Level
1: Monitoring level
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-5
4 Reliability
Usage Guidelines
By setting different optional parameters, you can view different status information and configuration parameters. Specifically:
l
If both the interface name and the backup group ID are set in the command, you can view the status information and configuration parameters of the relevant backup group. If only the interface name is configured in the command, you can view the status information and configuration parameters of all backup groups associated with the interface. If neither the interface name nor the backup group ID is set in the command, you can view the status information and configuration parameters of all backup groups associated with the Eudemon.
Examples
# Display all backup groups associated with the Eudemon.
<Eudemon> display vrrp
# Display the specified backup group associated with the GigabitEthernet 0/0/0.
<Eudemon> display vrrp interface GigabitEthernet 0/0/0 1
Format
firewall composite-hrp permit-backupforward undo firewall composite-hrp permit-backupforward
Parameters
None
Views
System view
Default Level
2: Configuration level
4-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
4 Reliability
Usage Guidelines
This command is only applicable to the master device working in composite mode. When the Eudemon and routers construct the network to server as route redundancy backup in composite mode, you can permit the backup device to forward packets so that the route protocol packets can pass through the firewall. When the Eudemon and switches construct the network, you cannot permit Backup to forward; otherwise, packet cycle occurs. By default, Backup is not permitted to forward packets.
Examples
# Permit the backup device to forward packets.
<Eudemon> system-view [Eudemon] firewall composite-hrp permit-backupforward
4.1.7 ip-link
Function
Using the ip-link command, you can enable the IP link checking. Using the undo ip-link command, you can disable the IP link checking.
Format
ip-link link-id [ vpn-instance vpn-instance-name ] destination ip-address [ interface interfacetype interface-number ] [ timer interval ] [ mode { icmp | arp } ] undo ip-link link-id
Parameters
link-id: specifies the link ID of the link to be checked; it is an integer that ranges from 1 to 32. vpn-instance-name: specifies the VPN instance name; it is a string of 1 character to 19 characters. ip-address: specifies the address of the destination IP in dotted decimal. interface interface-type interface-number: specifies the interface type and number of the IP link on this end. timer interval: specifies the interval for receiving the link-checking packets. The value ranges from 1 second to 5 seconds. The default value is 3 seconds. icmp: indicates that ICMP packets are transmitted to a specified destination IP address for link detection. arp: indicates that ARP packets are transmitted to a specified destination IP address for link detection.
Views
System view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-7
4 Reliability
Default Level
2: Configuration level
Usage Guidelines
The optional items of the set link include [ vpn-instance vpn-instance-name ] and [ interface interface-type interface-number ] ; which indicate that the link can be bound to the VPN or the output interface except sub interface.
Examples
# Specify an IP link to be checked.
<Eudemon> system-view [Eudemon] ip-link 1 destination 1.1.1.1 timer 5
Format
ip-link check enable undo ip-link check enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
By defualt, the link reachability check is disabled.
Examples
# Enable the IP link auto-detection function.
<Eudemon> system-view [Eudemon] ip-link check enable
4-8
Issue 03 (2009-06-18)
4 Reliability
4.1.9 link-group
Function
Using the link-group command, you can add an interface to the Link-group management group. Using the undo link-group command, you can delete an interface from the Link-group management group.
Format
link-group link-group-id undo link-group
Parameters
link-group-id: specifies the ID of a Link-group. The value ranges from 1 to 12.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the system is not configured with the Link-group management group. In a logical group, if one physical interface becomes faulty and changes to the Down state, all the other physical interfaces in the logical group change to the Down state. This ensures that all the physical interfaces in the logical group are in the same state. The command doesn't support sub interface.
Examples
# Add GigabitEthernet 0/0/2 to Link-group 1.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/2 [Eudemon-GigabitEthernet0/0/2] link-group 1
4 Reliability
Format
vrrp authentication-mode simple key undo vrrp authentication-mode
Parameters
simple: indicates simple text authentication. key: specifies the authentication key. The value is a string of 1 to 8 case sensitive characters.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, no authentication mode is configured. Using this command, you can set authentication mode and authentication key for all VRRP backup groups associated with an interface because it is prescribed in the protocol that backup groups associated with the same interface should use identical authentication mode and authentication key. So do components in the same backup group. Authentication mode and authentication key are case insensitive and authentication key must be configured when simple mode is applied. Authentication mode and authentication key are case sensitive and authentication key must be configured when simple mode is applied.
Examples
# Set authentication mode and authentication key for all VRRP backup groups associated with GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] vrrp authentication-mode simple user
Format
vrrp un-check ttl
4-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
4 Reliability
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the Eudemon checks the TTL value of VRRP packets. As stipulated by the RFC 2338, the system checks the TTL value of the received VRRP packets. If this value is not 255, the VRRP packets are discarded. In some networking environments, especially when the devices from different manufacturers are used together, the preceding processing may cause incorrect packet discarding. However, you can configure the system not to check the TTL value of VRRP packets.
Examples
# Disable the check of the TTL value of VRRP packets.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] vrrp un-check ttl
Format
vrrp vrid virtual-router-id timer advertise advertise-interval undo vrrp vrid virtual-router-id timer advertise
Parameters
virtual-router-id: specifies the ID of a VRRP backup group. It is an integer in a range of 1 to 255. advertise-interval: specifies an interval, at which the master Eudemon sends VRRP packets in a range of 1 to 255 seconds. By default, the value is 1 second.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-11
4 Reliability
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
This command is used to set interval for the master Eudemon to send VRRP packets.
Examples
# Set the interval, at which VRRP packets are sent, for the master Eudemon in backup group1 to 5 seconds.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] vrrp vrid 1 timer advertise 5
Format
vrrp vrid virtual-router-id virtual-ip virtual-address [ ip-mask | ip-mask-length ] { master | slave } undo vrrp vrid virtual-router-id
Parameters
virtual-router-id: specifies the ID of the VRRP backup group. It is an integer in a range of 1 to 255. virtual-address: specifies the virtual IP address of the VRRP backup group in dotted decimal notation. ip-mask: specifies the address mask in dotted decimal notation. ip-mask-length: specifies the address mask length. It is an integer in a range of 0 to 32. master: Specifies a master VRRP management group. slave: Specifies a slave VRRP management group.
Views
Interface view
4-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
4 Reliability
Default Level
2: Configuration level
Usage Guidelines
By default, no backup group is added to the system. Only when a backup group is added to a VRRP management group, the VRRP management group allocates the virtual IP address for the VRRP backup group.
NOTE
l l l
When VRRP management group is used on the Eudemon, make sure that the virtual IP address is not identical with the actual IP address of any interface. The network segment of the virtual IP address cannot overlap that of any other interface. The interface where the command is executed must be configured with an IP address.
Users can use this command to create a backup group or add virtual IP addresses to an existing backup group. A backup group can be configured with 1 virtual IP addresses. Users can also use the undo vrrp vrid command to delete an existing backup group or a virtual IP address in a backup group. If all IP addresses in a backup group are deleted, the system will automatically delete the backup group.
Examples
# Create a backup group and configure it with a virtual IP address.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] vrrp vrid 1 virtual-ip 10.10.10.10 24 master
Format
vrrp vrid virtual-router-id ip-link link-id
Parameters
virtual-router-id: specifies the ID of the VRRP backup group. It is an integer in a range of 1 to 255. link-id: Indicates the ID of the link to be checked. The parameter value is an integer ranging from 1 to 32.
Views
Interface view
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-13
4 Reliability
Default Level
2: Configuration level
Usage Guidelines
The management group priority changes and the active/standby switch over when the ip-link detects the link state is down.
Examples
# Specify an IP link to be checked.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] vrrp vrid 2 ip-link 3
Format
vrrp virtual-mac enable undo vrrp virtual-mac enable
Parameters
None
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
By default, the function of virtual MAC address is disable. This command can not be backed up between the master and the backup. Thus, you must configure the command on both the master and the backup.
Examples
# Enable the GigabitEthernet 0/0/0 interface to use the virtual MAC address.
4-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
4 Reliability
Format
debugging hrp { all | packet | state | timer } undo debugging hrp { all | packet | state | timer }
Parameters
all: enables all HRP debugging. packet: enables HRP packet debugging. state: enables HRP state debugging. timer: enables HRP timer debugging.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-15
4 Reliability
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
By default, the debugging of HRP is disabled.
Examples
# Enable HRP packet debugging.
<Eudemon> debugging hrp packet
Format
debugging hrp configuration check undo debugging hrp configuration check
Parameters
None
Views
User view
Default Level
2: Configuration level
Usage Guidelines
None
Examples
# Enable the consistency check debugging after the HRP function is started on the Eudemon.
<Eudemon> debugging hrp configuration check
4-16
Issue 03 (2009-06-18)
4 Reliability
Format
display hrp { configuration check { all | acl | hrp } | group | interface | state | statistic }
Parameters
configuration: displays the result of the HRP and ACL consistency check. group: displays the state of the HRP management group. interface: displays the current HRP backup channel interface and the interface status. state: displays the current HRP status. statistic: displays the current HRP backup statistics.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
None
Examples
# Display HRP status after the HRP function is started on the Eudemon.
<Eudemon> display hrp state
Format
hrp auto-sync [ config | connection-status ]
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-17
4 Reliability
Parameters
config: enables the function of automatically backing up configuration commands. connection-status: enables the function of automatically backing up connection state.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
NOTE
This command is valid only when the device works in route mode or composite mode.
This command is available only when the dual-system hot backup function is enabled, that is, when the hrp enable command is configured. If no parameter is specified, the hrp auto-sync command can carry out automatic backup of configuration commands and connection states. In load balancing mode, only master configuration devices can automatically back up configuration commands and firewalls in the master VRRP management group can automatically back up connection status.
Examples
# Enable the automatic backup of configuration commands.
<Eudemon> system-view [Eudemon] hrp auto-sync config
Format
hrp enable undo hrp enable
Parameters
None
4-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
4 Reliability
Views
System view
Default Level
2: Configuration level
Usage Guidelines
CAUTION
Before enabling HRP, the interface configuration on the master and the backup must keep consistent, including:
l l
Position and number of the interfaces. Configuration related to hot backup. That is, VRRPs configured on the interfaces or subinterfaces on corresponding slots must be added into the same VRRP management group. The master device is added to the master management group, and the backup device is added to the slave management group. Interfaces and sub-interfaces on corresponding slots must be added into the same zone.
By default, HRP dual-system hot backup is disabled. You can automatically or manually back up commands only after dual-system hot backup is enabled. If the state of the VRRP management group changes, thereby HRP state and master/ slave configuration devices state might change. Moreover, HRP state might affect the state of the VRRP management group. After dual-system hot backup is disabled, configuration commands and connection status cannot be backed up but VRRP backup groups can still be added to or deleted from the VRRP management group.
Examples
# Enable HRP dual-system hot backup.
<Eudemon> system-view [Eudemon] hrp enable
4 Reliability
Format
hrp ospf-cost adjust-enable [ ospf-cost ] undo hrp ospf-cost adjust-enable
Parameters
ospf-cost: specifies the cost value of OSPF. The value is an integer in a range of 1 to 65535.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The system automatically adjust the ospf-cost based on HRP state to 65500 if no ospf-cost is specified.
Examples
# Enable OSPF cost change based on HRP state.
<Eudemon> system-view [Eudemon] hrp ospf-cost adjust-enable 300
Format
hrp sync [ config | connection-status ]
Parameters
config: enables batch backup of configuration commands manually. connection-status: enables batch backup of connection status manually.
Views
User view
Default Level
2: Configuration level
4-20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
4 Reliability
Usage Guidelines
By default, batch backup of connection status manually is disabled. Each time after you run the hrp sync command, the configuration commands and connection states are backed up in batches manually. If no parameter is specified, the hrp sync command can carry out manual batch backup of configuration commands and connection states. The interval for running the hrp sync command is 600 seconds.
Examples
# Enable batch backup of configuration commands manually.
<Eudemon> hrp sync config
Format
hrp interface interface-type interface-number [ transfer-only ] undo hrp interface interface-type interface-number [ transfer-only ]
Parameters
interface-type: specifies the type of an interface. interface-number: specifies the number of an interface. transfer-only: When the devices in the backup group are directly connected, can configure this parameter. In this case, the backup tunnels are used to transmit the backup data only. Otherwise, you need not to configure this parameter, and the backup tunnels can be used to transmit the service flow.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
This interface must be a high-speed main interface. A Eudemon can be configured with a maximum of 16 interfaces for HRP backup tunnels. The interfaces for HRP backup tunnels take effect only after the VRRP is configured.
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-21
4 Reliability
Examples
# Configure interface GigabitEthernet 0/0/0 for backing up the session table on the Eudemon.
<Eudemon> system-view [Eudemon] hrp interface GigabitEthernet 0/0/0
Format
hrp mirror session enable undo hrp mirror session enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Before running the hrp mirror session enable command, run the hrp enable command to enable HRP dual-system hot backup first.
Examples
# Enable the session fast backup function.
<Eudemon> system-view [Eudemon] hrp mirror session enable
4 Reliability
Using the undo hrp configuration check command, you can prohibit the checking on consistency of the settings on the master and backup firewalls.
Format
hrp configuration check { acl | hrp } undo hrp configuration check
Parameters
acl: checks the configuration consistency of the ACL on the master and backup firewalls. hrp: checks the configuration consistency of the VRRP group and HRP on the master and backup firewalls.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Using the hrp configuration check command once, you can check for setting consistency on both sides. If the command is running, the system prompts that the command is running. If no HRP backup tunnel interface is configured, the system displays that the packet can not be sent.
Examples
# Check the configuration consistency of the HRPs on the master and backup firewalls.
<Eudemon> system-view [Eudemon] hrp configuration check hrp
Format
hrp timer hello interval undo hrp timer hello
Issue 03 (2009-06-18) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-23
4 Reliability
Parameters
interval: specifies the interval, at which Hello messages are sent; it is in the range of 200 to 60000 milliseconds.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
The default value is 1000 milliseconds.
Examples
# Set the time interval of the master, at which Hello messages are sent, to 10000 milliseconds.
<Eudemon> system-view [Eudemon] hrp timer hello 10000
Format
hrp preempt delay interval undo hrp preempt delay
Parameters
interval: specifies the delay time of preempt; it is in the range of 0 to 1800 seconds.
Views
System view
Default Level
2: Configuration level
4-24 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 03 (2009-06-18)
4 Reliability
Usage Guidelines
By default, the preempt delays of the HRP group.
Examples
# Set the preempt delay of the HRP group to 100s.
<Eudemon> system-view [Eudemon] hrp preempt delay 100
Format
hrp track { master | slave } undo hrp track
Parameters
master: specifies the master management group to monitor interfaces. slave: specifies the slave management group to monitor interfaces.
Views
Interface view
Default Level
2: Configuration level
Usage Guidelines
When the status of the interface monitored by the master management group changes from Up to Down, the priority of the master management group decreases. By default, the system does not configure the monitor over interfaces.
Examples
# Configure the master management group to monitor GigabitEthernet 0/0/0.
<Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/0 [Eudemon-GigabitEthernet0/0/0] hrp track master
Issue 03 (2009-06-18)
4-25